From c32095df77012083a1b406622bca19e65d301fab Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Sat, 4 Jun 2016 23:02:08 -0300
Subject: Move to 2048 bit DH params using ssl::dhparams

---
 manifests/tls/hardened.pp | 42 +++++++++++++++++++++++++++++-------------
 1 file changed, 29 insertions(+), 13 deletions(-)

diff --git a/manifests/tls/hardened.pp b/manifests/tls/hardened.pp
index 735135c..cf7d1dd 100644
--- a/manifests/tls/hardened.pp
+++ b/manifests/tls/hardened.pp
@@ -15,28 +15,44 @@ class mail::tls::hardened inherits mail::tls {
   # DH parameters
   postfix::config { "smtpd_tls_eecdh_grade": value => 'strong' }
 
+  #postfix::config { "smtpd_tls_dh1024_param_file":
+  #  value   => '/etc/ssl/dhparams/dhparams_1024.pem',
+  #  require => Exec['openssl-postfix-gendh-1024'],
+  #}
+
+  # See https://leap.se/code/issues/4012
+  #     https://drownattack.com/postfix.html
   postfix::config { "smtpd_tls_dh1024_param_file":
-    value   => '/etc/postfix/dh_1024.pem',
-    require => Exec['openssl-postfix-gendh-1024'],
+    value   => '/etc/ssl/dhparams/dhparams_2048.pem',
+    require => Exec['openssl-postfix-gendh-2048'],
+  }
+
+  # Old file locations
+  file { [ '/etc/postfix/dh_512.pem', '/etc/postfix/dh_1024.pem' ]:
+    ensure => absent,
   }
 
   postfix::config { "smtpd_tls_dh512_param_file":
-    value   => '/etc/postfix/dh_512.pem',
+    value   => '/etc/ssl/dhparams/dhparams_512.pem',
     require => Exec['openssl-postfix-gendh-512'],
   }
 
-  exec { 'openssl-postfix-gendh-512':
-    command => 'openssl gendh -out /etc/postfix/dh_512.pem -2 512',
-    user    => root,
-    group   => root,
-    creates => '/etc/postfix/dh_512.pem',
+  ssl::dhparams { 'openssl-postfix-gendh-512':
+    prefix => 'dh',
+    size   => '512',
+    folder => '/etc/postfix',
+  }
+
+  ssl::dhparams { 'openssl-postfix-gendh-1024':
+    prefix => 'dh',
+    size   => '1024',
+    folder => '/etc/postfix',
   }
 
-  exec { 'openssl-postfix-gendh-1024':
-    command => 'openssl gendh -out /etc/postfix/dh_1024.pem -2 1024',
-    user    => root,
-    group   => root,
-    creates => '/etc/postfix/dh_1024.pem',
+  ssl::dhparams { 'openssl-postfix-gendh-2048':
+    prefix => 'dh',
+    size   => '2048',
+    folder => '/etc/postfix',
   }
 
   postfix::config { "smtpd_tls_exclude_ciphers":
-- 
cgit v1.2.3