roles/nginx: Use RFC 7919 4096-bit dhparams

Recommended by internet.nl, which made me aware of RFC 7919. See: https://tools.ietf.org/html/rfc7919#page-14
2021-03-19 13:13:56 +02:00 · 2021-03-19 13:13:56 +02:00 · 7f72a9eda4
commit 7f72a9eda4
parent 6e96d48ea6
1 changed files with 5 additions and 2 deletions
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@ -12,8 +12,11 @@
    notify:
      - reload nginx

-  - name: Generate 2048-bit dhparam
-    command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem
+  - name: Download 4096-bit RFC 7919 dhparams
+    get_url:
+      url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
+      checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
+      dest: /etc/ssl/certs/dhparam.pem
    notify:
      - reload nginx