Use -dsaparam by default
* Use -dsaparam by default for generation pem files.
Change-Id: I0af13af6583607d7f1d53034729c631223f904b3
Prod-related: PROD-26865 (PROD:26865)
(cherry picked from commit 4f4e7d4cf0bd65579c49cf710ce0dfc1ed08c629)
diff --git a/README.rst b/README.rst
index 62ceab2..fa005ef 100644
--- a/README.rst
+++ b/README.rst
@@ -579,6 +579,7 @@
dhparam:
enabled: True
numbits: 2048
+ use_dsaparam: True
ecdh_curve:
secp384r1:
name: 'secp384r1'
diff --git a/nginx/server.sls b/nginx/server.sls
index 45339d0..d2fd650 100644
--- a/nginx/server.sls
+++ b/nginx/server.sls
@@ -137,16 +137,16 @@
{%- set generate_dhparams = { 'enabled': False } %}
{%- for site_name, site in server.get('site', {}).iteritems() %}
-{%- if site.get('ssl', {}).get('enabled') and site.ssl.get('mode', 'secure') == 'secure' %}
- {%- do generate_dhparams.update({ 'enabled': True }) %}
- {%- break %}
-{%- endif %}
+ {%- if site.get('ssl', {}).get('enabled') and site.ssl.get('mode', 'secure') == 'secure' %}
+ {%- do generate_dhparams.update({ 'enabled': True }) %}
+ {%- break %}
+ {%- endif %}
{%- endfor %}
{%- if generate_dhparams['enabled'] %}
nginx_generate_dhparams:
cmd.run:
- - name: openssl dhparam -out /etc/ssl/dhparams.pem 2048
+ - name: openssl dhparam -dsaparam -out /etc/ssl/dhparams.pem 2048
- creates: /etc/ssl/dhparams.pem
- require:
- pkg: nginx_packages
diff --git a/nginx/server/sites.sls b/nginx/server/sites.sls
index b8cb743..39dd612 100644
--- a/nginx/server/sites.sls
+++ b/nginx/server/sites.sls
@@ -7,9 +7,13 @@
{%- if site.get('ssl', {'enabled': False}).enabled %}
{%- if site.ssl.get('dhparam', {'enabled': False}).enabled %}
+ {%- set _use_dsa = '-dsaparam' %}
+ {%- if not site.ssl.dhparam.get('use_dsaparam', True) %}
+ {%- set _use_dsa = '' %}
+ {% endif %}
nginx_generate_{{ site_name }}_dhparams:
cmd.run:
- - name: openssl dhparam -out /etc/ssl/dhparams_{{ site_name }}.pem {% if site.ssl.dhparam.numbits is defined %}{{ site.ssl.dhparam.numbits }}{% else %}2048{% endif %}
+ - name: openssl dhparam {{ _use_dsa }} -out /etc/ssl/dhparams_{{ site_name }}.pem {% if site.ssl.dhparam.numbits is defined %}{{ site.ssl.dhparam.numbits }}{% else %}2048{% endif %}
- unless: "test -f /etc/ssl/dhparams_{{ site_name }}.pem && [ $(openssl dhparam -inform PEM -in /etc/ssl/dhparams_{{ site_name }}.pem -check -text | grep -Po 'DH Parameters: \\(\\K[0-9]+') = {% if site.ssl.dhparam.numbits is defined %}{{ site.ssl.dhparam.numbits }}{% else %}2048{% endif %} ]"
- require:
- pkg: nginx_packages