core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param

This removes one manual (yet undocumented) step that was supposed to be
done to get a complete 'intermediate' configuration.

This file can be found on the Internet by searching for "ffdhe2048" and
can be verified by comparing the hexadecimal representation of p from
the RFC with the output of `openssl asn1parse`.

Given the preference and prevalence of ECDHE, it seems likely that few
would have noticed this.

1 files changed, 13 insertions, 1 deletions

diff --git a/core/certmanager.lua b/core/certmanager.lua
index 263797e5..9e0ace6a 100644
--- a/core/certmanager.lua
+++ b/core/certmanager.lua
@@ -213,6 +213,18 @@ local core_defaults = {
 	dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" };
 }
 
+-- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1
+local ffdhe2048 = [[
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
+]]
+
 local mozilla_ssl_configs = {
 	-- https://wiki.mozilla.org/Security/Server_Side_TLS
 	-- Version 5.7 as of 2023-07-09
@@ -225,7 +237,7 @@ local mozilla_ssl_configs = {
 	};
 	intermediate = {
 		protocol = "tlsv1_2+";
-		dhparam = nil; -- ffdhe2048.txt
+		dhparam = ffdhe2048;
 		options = { cipher_server_preference = false };
 		ciphers = {
 			"ECDHE-ECDSA-AES128-GCM-SHA256";