Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.
Sign up[enh] Generate custom Diffie-Hellman primes #621
Conversation
frju365
added some commits
Jan 19, 2019
Psycojoker
reviewed
Jan 20, 2019
src/yunohost/tools.py Outdated
Psycojoker
reviewed
Jan 20, 2019
src/yunohost/tools.py Outdated
This comment has been minimized.
This comment has been minimized.
|
This PR misses relaunching the regen-conf or equivalent mechanism for including this custom dhparam in nginx confs. |
This comment has been minimized.
This comment has been minimized.
|
I add regen-conf at the end of postinstall but I can't be sure it will be generated at the end of it (surely not). |
frju365
added some commits
Jan 20, 2019
alexAubin
changed the title
dh_params
[enh] Generate custom Diffie-Hellman primes
Jan 26, 2019
alexAubin
reviewed
Feb 5, 2019
data/hooks/conf_regen/15-nginx Outdated
| @@ -322,6 +322,17 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False, | |||
| else: | |||
| dyndns = False | |||
|
|
|||
| cron_job_file = "/etc/cron.hourly/yunohost-generate-dh-params" | |||
|
|
|||
| command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && rm /etc/cron.hourly/yunohost-generate-dh-params\n" | |||
This comment has been minimized.
This comment has been minimized.
alexAubin
Feb 5, 2019
Member
Note that a migration should be implemented so that it also gets applied to existing instances
This comment has been minimized.
This comment has been minimized.
Josue-T
Feb 8, 2019
Contributor
You also probably need to change the owner for this file like : root:ssl-cert
This comment has been minimized.
This comment has been minimized.
frju365
Feb 8, 2019
Author
Member
mh ? On my instance it's root:root, and it works. If you think it's better root:ssl-cert... but it works like that (perhaps I miss something).
This comment has been minimized.
This comment has been minimized.
alexAubin
Feb 8, 2019
Member
That essentially depends of wether or not we will need some other service to use this DH param. For instance, SSL certificates have root:ssl-cert as permission because metronome needs access to it while not having root privileges... I don't know if dovecot or postfix or metronome or whatever service needs DH params but having ssl-cert as group for this file provides more flexibility I guess
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
alexAubin
Feb 17, 2019
Member
Note that the original comment is still valid : a migration should be implemented so that it also gets applied to existing instances
This comment has been minimized.
This comment has been minimized.
frju365
Feb 18, 2019
Author
Member
yes, I know. I just didn't have time to do it :/ Let's go to try.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
frju365
Feb 18, 2019
Author
Member
Normally, quite done :/ Not tested as always (I'm at work for now).
alexAubin
added
work needed
test needed
labels
Feb 5, 2019
frju365
added some commits
Feb 5, 2019
alexAubin
requested changes
Feb 18, 2019
src/yunohost/tools.py Outdated
data/hooks/conf_regen/15-nginx Outdated
frju365
added some commits
Feb 18, 2019
alexAubin
reviewed
Feb 18, 2019
frju365
added some commits
Feb 18, 2019
This comment has been minimized.
This comment has been minimized.
|
Why is there conflict ? |
alexAubin
reviewed
Feb 18, 2019
frju365 commentedJan 19, 2019
•
edited
The problem
Weak dh_params == weak security
Solution
Add dh_params in background
PR Status
How to test
Install Yunohost / ynh-dev
Validation