Logjam attack protection (stronger Diffie-Hellman for TLS)

author Silvio Rhatto <rhatto@riseup.net>

Sat, 23 May 2015 14:23:56 +0000 (11:23 -0300)

committer Silvio Rhatto <rhatto@riseup.net>

Sat, 23 May 2015 14:23:56 +0000 (11:23 -0300)
author Silvio Rhatto <rhatto@riseup.net>
Sat, 23 May 2015 14:23:56 +0000 (11:23 -0300)
committer Silvio Rhatto <rhatto@riseup.net>
Sat, 23 May 2015 14:23:56 +0000 (11:23 -0300)
diff --git a/manifests/init.pp b/manifests/init.pp

index eaeea8aa74731a1d028450a7e0ee8f89d8afdf80..7c827de7cefd1de26882d3fdab0e9095001a0163 100644 (file)
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -21,6 +21,15 @@ class nginx inherits nginx::base(
  ) {
    include ssl
  
+  # See https://weakdh.org/
+  exec { 'openssl-nginx-gendh-2048':
+    command => 'openssl dhparam -out /etc/ssl/private/dhparams.pem 2048',
+    user    => root,
+    group   => root,
+    creates => '/etc/ssl/private/dh_2048.pem',
+    notify  => Service['nginx'],
+  }
+
    case $deploy_certs {
      true: {
        ssl::cert { "$::domain":
@@ -38,10 +47,10 @@ class nginx inherits nginx::base(
        }
  
        Service["nginx"] {
-        require    => [ Package["nginx"],
-                        File["/etc/nginx/sites-enabled/${::domain}"],
-                        File["/etc/ssl/private/${::domain}.pem"],
-                        File["/etc/ssl/certs/${::domain}.crt"] ],
+        require => [ Package["nginx"],
+                     File["/etc/nginx/sites-enabled/${::domain}"],
+                     File["/etc/ssl/private/${::domain}.pem"],
+                     File["/etc/ssl/certs/${::domain}.crt"] ],
        }
      }
    }
author	Silvio Rhatto <rhatto@riseup.net>
	Sat, 23 May 2015 14:23:56 +0000 (11:23 -0300)
committer	Silvio Rhatto <rhatto@riseup.net>
	Sat, 23 May 2015 14:23:56 +0000 (11:23 -0300)