add 2048 bits of DH params for nginx, postfix, dovecot

nginx/postfix use a new pre-generated dh2048.pem file. dovecot generates the bits on its own. ssllabs.com reports that TLS_DHE ciphers went from 1024 to 2048 bits as expected. The ECDHE ciphers remain at 256 bits --- no idea what that really means. (This tests nginx only. I haven't tested postfix/dovecot.) see https://discourse.mailinabox.email/t/fips-ready-for-ssl-dhec-key-exchange/76/3
2026-03-30 21:07:23 +02:00 · 2014-09-26 22:01:38 +00:00
parent c2eb8e5330
commit 39bca053ed
5 changed files with 17 additions and 4 deletions
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -9,9 +9,11 @@ apt_install nginx php5-fpm

 rm -f /etc/nginx/sites-enabled/default

-# copy in a nginx configuration file for common and best-practices
-# SSL settings from @konklone
-cp conf/nginx-ssl.conf /etc/nginx/nginx-ssl.conf
+# Copy in a nginx configuration file for common and best-practices
+# SSL settings from @konklone. Replace STORAGE_ROOT so it can find
+# the DH params.
+sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \
+	conf/nginx-ssl.conf > /etc/nginx/nginx-ssl.conf

 # Fix some nginx defaults.
 # The server_names_hash_bucket_size seems to prevent long domain names?