New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[enh] Generate custom Diffie-Hellman primes #621

Open
wants to merge 19 commits into
base: stretch-unstable
from

Conversation

Projects
None yet
4 participants
@frju365
Copy link
Member

frju365 commented Jan 19, 2019

The problem

Weak dh_params == weak security

Solution

Add dh_params in background

PR Status

How to test

Install Yunohost / ynh-dev

Validation

  • Principle agreement 0/2 :
  • Quick review 0/1 :
  • Simple test 0/1 :
  • Deep review 0/1 :

frju365 added some commits Jan 19, 2019

Show resolved Hide resolved src/yunohost/tools.py Outdated
Show resolved Hide resolved src/yunohost/tools.py Outdated
@Psycojoker

This comment has been minimized.

Copy link
Member

Psycojoker commented Jan 20, 2019

This PR misses relaunching the regen-conf or equivalent mechanism for including this custom dhparam in nginx confs.

@frju365

This comment has been minimized.

Copy link
Member Author

frju365 commented Jan 20, 2019

I add regen-conf at the end of postinstall but I can't be sure it will be generated at the end of it (surely not).

frju365 added some commits Jan 20, 2019

@alexAubin alexAubin changed the title dh_params [enh] Generate custom Diffie-Hellman primes Jan 26, 2019

Show resolved Hide resolved data/hooks/conf_regen/15-nginx Outdated
@@ -322,6 +322,17 @@ def tools_postinstall(operation_logger, domain, password, ignore_dyndns=False,
else:
dyndns = False

cron_job_file = "/etc/cron.hourly/yunohost-generate-dh-params"

command = "nice -n 19 openssl dhparam -out /etc/ssl/private/dh2048.pem -outform PEM -2 2048 -dsaparam 2> /var/log/yunohost/dhparam_generation.log && rm /etc/cron.hourly/yunohost-generate-dh-params\n"

This comment has been minimized.

@alexAubin

alexAubin Feb 5, 2019

Member

Note that a migration should be implemented so that it also gets applied to existing instances

This comment has been minimized.

@Josue-T

Josue-T Feb 8, 2019

Contributor

You also probably need to change the owner for this file like : root:ssl-cert

This comment has been minimized.

@frju365

frju365 Feb 8, 2019

Author Member

mh ? On my instance it's root:root, and it works. If you think it's better root:ssl-cert... but it works like that (perhaps I miss something).

This comment has been minimized.

@alexAubin

alexAubin Feb 8, 2019

Member

That essentially depends of wether or not we will need some other service to use this DH param. For instance, SSL certificates have root:ssl-cert as permission because metronome needs access to it while not having root privileges... I don't know if dovecot or postfix or metronome or whatever service needs DH params but having ssl-cert as group for this file provides more flexibility I guess

This comment has been minimized.

@Josue-T

Josue-T Feb 8, 2019

Contributor

I say this because I'll need this for synapse 😃

This comment has been minimized.

@frju365

frju365 Feb 8, 2019

Author Member

normalement corrigé.

This comment has been minimized.

@alexAubin

alexAubin Feb 17, 2019

Member

Note that the original comment is still valid : a migration should be implemented so that it also gets applied to existing instances

This comment has been minimized.

@frju365

frju365 Feb 18, 2019

Author Member

yes, I know. I just didn't have time to do it :/ Let's go to try.

This comment has been minimized.

@alexAubin

alexAubin Feb 18, 2019

Member

That's okay 😉 Just be aware of it 😛

This comment has been minimized.

@frju365

frju365 Feb 18, 2019

Author Member

Normally, quite done :/ Not tested as always (I'm at work for now).

frju365 added some commits Feb 5, 2019

Show resolved Hide resolved src/yunohost/data_migrations/0009_dh_params.py Outdated
Show resolved Hide resolved src/yunohost/data_migrations/0009_dh_params.py Outdated
Show resolved Hide resolved src/yunohost/tools.py Outdated
Show resolved Hide resolved data/hooks/conf_regen/15-nginx Outdated

frju365 added some commits Feb 18, 2019

frju365 added some commits Feb 18, 2019

@frju365

This comment has been minimized.

Copy link
Member Author

frju365 commented Feb 18, 2019

Why is there conflict ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment