diff options
author | Kim Alvefur <zash@zash.se> | 2024-07-12 15:06:42 +0200 |
---|---|---|
committer | Kim Alvefur <zash@zash.se> | 2024-07-12 15:06:42 +0200 |
commit | cf446f4188a53396e30f392cae8443fd2eb52f4e (patch) | |
tree | f43b01f92e21559d96ac0bc5a530249dd3afd681 /core | |
parent | dd657746b490c203d3e503d9359fec9dca6884fd (diff) | |
download | prosody-cf446f4188a53396e30f392cae8443fd2eb52f4e.tar.gz prosody-cf446f4188a53396e30f392cae8443fd2eb52f4e.zip |
core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param
This removes one manual (yet undocumented) step that was supposed to be
done to get a complete 'intermediate' configuration.
This file can be found on the Internet by searching for "ffdhe2048" and
can be verified by comparing the hexadecimal representation of p from
the RFC with the output of `openssl asn1parse`.
Given the preference and prevalence of ECDHE, it seems likely that few
would have noticed this.
Diffstat (limited to 'core')
-rw-r--r-- | core/certmanager.lua | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/core/certmanager.lua b/core/certmanager.lua index 263797e5..9e0ace6a 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -213,6 +213,18 @@ local core_defaults = { dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" }; } +-- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1 +local ffdhe2048 = [[ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- +]] + local mozilla_ssl_configs = { -- https://wiki.mozilla.org/Security/Server_Side_TLS -- Version 5.7 as of 2023-07-09 @@ -225,7 +237,7 @@ local mozilla_ssl_configs = { }; intermediate = { protocol = "tlsv1_2+"; - dhparam = nil; -- ffdhe2048.txt + dhparam = ffdhe2048; options = { cipher_server_preference = false }; ciphers = { "ECDHE-ECDSA-AES128-GCM-SHA256"; |