Use stronger Diffie-Hellman group

commit: 88286dec4fb7aefa875076262cee8a83b2a5bad0 [log] [tgz]
author: Filip Pytloun <filip@pytloun.cz> Fri Nov 13 11:30:12 2015 +0100
committer: Filip Pytloun <filip@pytloun.cz> Fri Nov 13 11:42:54 2015 +0100
tree: 3b78f700597c71d1e9bc2d7daee06de337ed38f4
parent: d77b797758c548219e5ade694c527903489205e9 [diff]
diff --git a/nginx/files/_ssl_secure.conf b/nginx/files/_ssl_secure.conf
index 0ae8811..ca24272 100644
--- a/nginx/files/_ssl_secure.conf
+++ b/nginx/files/_ssl_secure.conf

@@ -3,3 +3,4 @@
 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
 ssl_prefer_server_ciphers on;
 ssl_ecdh_curve secp521r1;
+ssl_dhparam /etc/ssl/dhparams.pem;

diff --git a/nginx/server.sls b/nginx/server.sls
index 72d2e2c..7be9fb0 100644
--- a/nginx/server.sls
+++ b/nginx/server.sls

@@ -39,4 +39,13 @@
   - require:
     - pkg: nginx_packages
 
+generate_dhparams:
+  cmd.run:
+  - name: openssl dhparam -out /etc/ssl/dhparams.pem 2048
+  - creates: /etc/ssl/dhparams.pem
+  - require:
+    - pkg: nginx_packages
+  - watch_in:
+    - service: nginx_service
+
 {%- endif %}
commit	88286dec4fb7aefa875076262cee8a83b2a5bad0	[log] [tgz]
author	Filip Pytloun <filip@pytloun.cz>	Fri Nov 13 11:30:12 2015 +0100
committer	Filip Pytloun <filip@pytloun.cz>	Fri Nov 13 11:42:54 2015 +0100
tree	3b78f700597c71d1e9bc2d7daee06de337ed38f4
parent	d77b797758c548219e5ade694c527903489205e9 [diff]