Add improved dhparam
sbwoodside opened this issue · comments
It's possible to generate stronger diffie-hellman parameters, for example by doing this:
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
And then with nginx config add this line:
ssl_dhparam /etc/ssl/certs/dhparam.pem;
This should be as simple as:
- name: Improve Diffie-Helmann parameters
command: openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
args:
creates: /etc/ssl/certs/dhparam.pem
For analysis see e.g. http://security.stackexchange.com/questions/38206/can-someone-explain-what-exactly-is-accomplished-by-generation-of-dh-parameters and this site recommends doing it: https://weakdh.org/sysadmin.html