From 7aeb5a4c3353b8abab3d6e6b1d32b9d1fdf09ee8 Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Sat, 23 May 2015 11:23:56 -0300
Subject: Logjam attack protection (stronger Diffie-Hellman for TLS)

---
 manifests/init.pp | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/manifests/init.pp b/manifests/init.pp
index eaeea8a..7c827de 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -21,6 +21,15 @@ class nginx inherits nginx::base(
 ) {
   include ssl
 
+  # See https://weakdh.org/
+  exec { 'openssl-nginx-gendh-2048':
+    command => 'openssl dhparam -out /etc/ssl/private/dhparams.pem 2048',
+    user    => root,
+    group   => root,
+    creates => '/etc/ssl/private/dh_2048.pem',
+    notify  => Service['nginx'],
+  }
+
   case $deploy_certs {
     true: {
       ssl::cert { "$::domain":
@@ -38,10 +47,10 @@ class nginx inherits nginx::base(
       }
 
       Service["nginx"] {
-        require    => [ Package["nginx"],
-                        File["/etc/nginx/sites-enabled/${::domain}"],
-                        File["/etc/ssl/private/${::domain}.pem"],
-                        File["/etc/ssl/certs/${::domain}.crt"] ],
+        require => [ Package["nginx"],
+                     File["/etc/nginx/sites-enabled/${::domain}"],
+                     File["/etc/ssl/private/${::domain}.pem"],
+                     File["/etc/ssl/certs/${::domain}.crt"] ],
       }
     }
   }
-- 
cgit v1.2.3