From cf446f4188a53396e30f392cae8443fd2eb52f4e Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 12 Jul 2024 15:06:42 +0200 Subject: core.certmanager: Include ffdhe2048 from RFC 7919 as default DH param This removes one manual (yet undocumented) step that was supposed to be done to get a complete 'intermediate' configuration. This file can be found on the Internet by searching for "ffdhe2048" and can be verified by comparing the hexadecimal representation of p from the RFC with the output of `openssl asn1parse`. Given the preference and prevalence of ECDHE, it seems likely that few would have noticed this. --- core/certmanager.lua | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/core/certmanager.lua b/core/certmanager.lua index 263797e5..9e0ace6a 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -213,6 +213,18 @@ local core_defaults = { dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" }; } +-- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1 +local ffdhe2048 = [[ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- +]] + local mozilla_ssl_configs = { -- https://wiki.mozilla.org/Security/Server_Side_TLS -- Version 5.7 as of 2023-07-09 @@ -225,7 +237,7 @@ local mozilla_ssl_configs = { }; intermediate = { protocol = "tlsv1_2+"; - dhparam = nil; -- ffdhe2048.txt + dhparam = ffdhe2048; options = { cipher_server_preference = false }; ciphers = { "ECDHE-ECDSA-AES128-GCM-SHA256"; -- cgit v1.2.3