From c32095df77012083a1b406622bca19e65d301fab Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 4 Jun 2016 23:02:08 -0300 Subject: Move to 2048 bit DH params using ssl::dhparams --- manifests/tls/hardened.pp | 42 +++++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/manifests/tls/hardened.pp b/manifests/tls/hardened.pp index 735135c..cf7d1dd 100644 --- a/manifests/tls/hardened.pp +++ b/manifests/tls/hardened.pp @@ -15,28 +15,44 @@ class mail::tls::hardened inherits mail::tls { # DH parameters postfix::config { "smtpd_tls_eecdh_grade": value => 'strong' } + #postfix::config { "smtpd_tls_dh1024_param_file": + # value => '/etc/ssl/dhparams/dhparams_1024.pem', + # require => Exec['openssl-postfix-gendh-1024'], + #} + + # See https://leap.se/code/issues/4012 + # https://drownattack.com/postfix.html postfix::config { "smtpd_tls_dh1024_param_file": - value => '/etc/postfix/dh_1024.pem', - require => Exec['openssl-postfix-gendh-1024'], + value => '/etc/ssl/dhparams/dhparams_2048.pem', + require => Exec['openssl-postfix-gendh-2048'], + } + + # Old file locations + file { [ '/etc/postfix/dh_512.pem', '/etc/postfix/dh_1024.pem' ]: + ensure => absent, } postfix::config { "smtpd_tls_dh512_param_file": - value => '/etc/postfix/dh_512.pem', + value => '/etc/ssl/dhparams/dhparams_512.pem', require => Exec['openssl-postfix-gendh-512'], } - exec { 'openssl-postfix-gendh-512': - command => 'openssl gendh -out /etc/postfix/dh_512.pem -2 512', - user => root, - group => root, - creates => '/etc/postfix/dh_512.pem', + ssl::dhparams { 'openssl-postfix-gendh-512': + prefix => 'dh', + size => '512', + folder => '/etc/postfix', + } + + ssl::dhparams { 'openssl-postfix-gendh-1024': + prefix => 'dh', + size => '1024', + folder => '/etc/postfix', } - exec { 'openssl-postfix-gendh-1024': - command => 'openssl gendh -out /etc/postfix/dh_1024.pem -2 1024', - user => root, - group => root, - creates => '/etc/postfix/dh_1024.pem', + ssl::dhparams { 'openssl-postfix-gendh-2048': + prefix => 'dh', + size => '2048', + folder => '/etc/postfix', } postfix::config { "smtpd_tls_exclude_ciphers": -- cgit v1.2.3