From 7f72a9eda4f9e39dc7ef89a84182c965bd690910 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Fri, 19 Mar 2021 13:13:56 +0200
Subject: [PATCH] roles/nginx: Use RFC 7919 4096-bit dhparams

Recommended by internet.nl, which made me aware of RFC 7919.

See: https://tools.ietf.org/html/rfc7919#page-14
---
 roles/nginx/tasks/vhosts.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/roles/nginx/tasks/vhosts.yml b/roles/nginx/tasks/vhosts.yml
index 758f3fe..6fbacfa 100644
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@@ -12,8 +12,11 @@
     notify:
       - reload nginx
 
-  - name: Generate 2048-bit dhparam
-    command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem
+  - name: Download 4096-bit RFC 7919 dhparams
+    get_url:
+      url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
+      checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
+      dest: /etc/ssl/certs/dhparam.pem
     notify:
       - reload nginx