From d4bea7dd346ce48c8c590dbb0c323af747f2e095 Mon Sep 17 00:00:00 2001 From: SohKa Date: Tue, 26 May 2020 19:17:03 +0200 Subject: [PATCH 1/5] Add pre-defined DHE group and set up Nginx to use it --- data/other/dh2048.pem | 8 ++++++++ data/templates/nginx/security.conf.inc | 5 ++--- debian/install | 1 + 3 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 data/other/dh2048.pem diff --git a/data/other/dh2048.pem b/data/other/dh2048.pem new file mode 100644 index 000000000..9b182b720 --- /dev/null +++ b/data/other/dh2048.pem @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/data/templates/nginx/security.conf.inc b/data/templates/nginx/security.conf.inc index dea0f49db..e221dc0ff 100644 --- a/data/templates/nginx/security.conf.inc +++ b/data/templates/nginx/security.conf.inc @@ -14,9 +14,8 @@ ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; -# Uncomment the following directive after DH generation -# > openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -#ssl_dhparam /etc/ssl/private/dh2048.pem; +# Pre-defined FFDHE group (RFC 7919) +ssl_dhparam /etc/ssl/dh2048.pem; # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners # https://wiki.mozilla.org/Security/Guidelines/Web_Security diff --git a/debian/install b/debian/install index a814d1617..e59214678 100644 --- a/debian/install +++ b/debian/install @@ -8,6 +8,7 @@ data/other/yunoprompt.service /etc/systemd/system/ data/other/password/* /usr/share/yunohost/other/password/ data/other/dpkg-origins/yunohost /etc/dpkg/origins data/other/dnsbl_list.yml /usr/share/yunohost/other/ +data/other/dh2048.pem /etc/ssl/ data/other/* /usr/share/yunohost/yunohost-config/moulinette/ data/templates/* /usr/share/yunohost/templates/ data/helpers /usr/share/yunohost/ From 9906617aa1f60a5a0fec8de73d4c2b34cd5a1278 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Thu, 4 Jun 2020 18:41:05 +0200 Subject: [PATCH 2/5] Add comments about where the DH param comes from --- data/templates/nginx/security.conf.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/data/templates/nginx/security.conf.inc b/data/templates/nginx/security.conf.inc index e221dc0ff..9de40f9cf 100644 --- a/data/templates/nginx/security.conf.inc +++ b/data/templates/nginx/security.conf.inc @@ -15,6 +15,8 @@ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDS ssl_prefer_server_ciphers off; # Pre-defined FFDHE group (RFC 7919) +# From https://ssl-config.mozilla.org/ffdhe2048.txt +# https://security.stackexchange.com/a/149818 ssl_dhparam /etc/ssl/dh2048.pem; # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners From cc04c4b937e053aab15af2f57e30373572be39b9 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Thu, 4 Jun 2020 18:42:40 +0200 Subject: [PATCH 3/5] Rename dh2048.pem to ffdhe2048.pem --- data/other/{dh2048.pem => ffdhe2048.pem} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename data/other/{dh2048.pem => ffdhe2048.pem} (100%) diff --git a/data/other/dh2048.pem b/data/other/ffdhe2048.pem similarity index 100% rename from data/other/dh2048.pem rename to data/other/ffdhe2048.pem From b5a0a44a7f49718ce241588ea2ff2346a49c00c6 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Thu, 4 Jun 2020 18:43:24 +0200 Subject: [PATCH 4/5] Put ffdhe2048.pem in /usr/share/yunohost/other/ instead of /etc/ssl --- debian/install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/install b/debian/install index e59214678..777d7973e 100644 --- a/debian/install +++ b/debian/install @@ -8,7 +8,7 @@ data/other/yunoprompt.service /etc/systemd/system/ data/other/password/* /usr/share/yunohost/other/password/ data/other/dpkg-origins/yunohost /etc/dpkg/origins data/other/dnsbl_list.yml /usr/share/yunohost/other/ -data/other/dh2048.pem /etc/ssl/ +data/other/ffdhe2048.pem /usr/share/yunohost/other/ data/other/* /usr/share/yunohost/yunohost-config/moulinette/ data/templates/* /usr/share/yunohost/templates/ data/helpers /usr/share/yunohost/ From 1cfa815aaaddac58a2f413d74f0f75a9f9381998 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Thu, 4 Jun 2020 18:44:02 +0200 Subject: [PATCH 5/5] Propagate location change for ffdhe2048.pem --- data/templates/nginx/security.conf.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/templates/nginx/security.conf.inc b/data/templates/nginx/security.conf.inc index 9de40f9cf..4c6461506 100644 --- a/data/templates/nginx/security.conf.inc +++ b/data/templates/nginx/security.conf.inc @@ -17,7 +17,7 @@ ssl_prefer_server_ciphers off; # Pre-defined FFDHE group (RFC 7919) # From https://ssl-config.mozilla.org/ffdhe2048.txt # https://security.stackexchange.com/a/149818 -ssl_dhparam /etc/ssl/dh2048.pem; +ssl_dhparam /usr/share/yunohost/other/ffdhe2048.pem; # Follows the Web Security Directives from the Mozilla Dev Lab and the Mozilla Obervatory + Partners # https://wiki.mozilla.org/Security/Guidelines/Web_Security