From 64e8603cf9790aa4419d0f2746671bd242e6344d Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Tue, 26 May 2015 00:55:19 +0200
Subject: logjam mitigation.

---
 roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf |  2 +-
 roles/IMAP/templates/etc/postfix/main.cf.j2     |  2 ++
 roles/MSA/templates/etc/postfix/main.cf.j2      |  1 +
 roles/MX/templates/etc/postfix/main.cf.j2       |  2 ++
 roles/common-web/files/etc/nginx/ssl/config     |  1 +
 roles/common/files/usr/local/bin/gendhparam.sh  | 13 +++++++++++++
 roles/common/files/usr/local/bin/genkeypair.sh  |  4 ++--
 roles/common/tasks/main.yml                     | 12 +++++++++---
 roles/lists/templates/etc/postfix/main.cf.j2    |  2 ++
 roles/out/templates/etc/postfix/main.cf.j2      |  2 ++
 10 files changed, 35 insertions(+), 6 deletions(-)
 create mode 100755 roles/common/files/usr/local/bin/gendhparam.sh

diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index 90843b2..e801639 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -43,7 +43,7 @@ ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
 #ssl_cert_username_field = commonName
 
 # DH parameters length to use.
-#ssl_dh_parameters_length = 1024
+ssl_dh_parameters_length = 2048
 
 # SSL protocols to use
 ssl_protocols = !SSLv2
diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index ef2f0d6..4cc07a6 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -64,8 +64,10 @@ local_header_rewrite_clients =
 
 relay_clientcerts               = cdb:$config_directory/relay_clientcerts
 smtpd_tls_security_level        = may
+smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtpd_tls_cert_file             = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
 smtpd_tls_key_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index 8ebefde..800dda8 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -77,6 +77,7 @@ smtp_tls_fingerprint_digest     = sha256
 smtpd_tls_security_level        = encrypt
 smtpd_tls_cert_file             = /etc/postfix/ssl/smtp.fripost.org.pem
 smtpd_tls_key_file              = /etc/postfix/ssl/private/smtp.fripost.org.key
+smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 181066a..09a5ce7 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -93,8 +93,10 @@ smtp_tls_fingerprint_digest     = sha256
 smtpd_tls_security_level        = none
 
 smtpd_tls_security_level        = may
+smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtpd_tls_cert_file             = /etc/ssl/certs/ssl-cert-snakeoil.pem
 smtpd_tls_key_file              = /etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
 smtpd_tls_CApath                = /etc/ssl/certs/
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
diff --git a/roles/common-web/files/etc/nginx/ssl/config b/roles/common-web/files/etc/nginx/ssl/config
index 7deef29..26a64f4 100644
--- a/roles/common-web/files/etc/nginx/ssl/config
+++ b/roles/common-web/files/etc/nginx/ssl/config
@@ -12,6 +12,7 @@ ssl_session_cache           shared:SSL:5m;
 # other weaknesses.
 ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers                 HIGH:!SSLv2:!aNULL:!eNULL:!3DES:!MD5:@STRENGTH;
+ssl_dhparam                 /etc/ssl/private/dhparams.pem;
 ssl_prefer_server_ciphers   on;
 
 # Strict Transport Security header for enhanced security. See
diff --git a/roles/common/files/usr/local/bin/gendhparam.sh b/roles/common/files/usr/local/bin/gendhparam.sh
new file mode 100755
index 0000000..074986b
--- /dev/null
+++ b/roles/common/files/usr/local/bin/gendhparam.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+set -ue
+PATH=/usr/bin:/bin
+
+privkey="$1"
+bits="${2:-2048}"
+rand=
+
+mv -f "$(mktemp)" "$privkey"
+chmod og-rwx "$privkey"
+
+openssl dhparam -rand "${rand:-/dev/urandom}" "$bits" >"$privkey"
diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh
index d6539e2..982c1d9 100755
--- a/roles/common/files/usr/local/bin/genkeypair.sh
+++ b/roles/common/files/usr/local/bin/genkeypair.sh
@@ -37,6 +37,7 @@ cn=
 usage=
 chmod=
 chown=
+rand=
 
 usage() {
     cat >&2 <<- EOF
@@ -123,7 +124,6 @@ while [ $# -gt 0 ]; do
     shift;
 done
 
-rand=/dev/urandom
 case "$type" in
     # XXX: genrsa and dsaparam have been deprecated in favor of genpkey.
     # genpkey can also create explicit EC parameters, but not named.
@@ -184,7 +184,7 @@ elif [ ! -s "$privkey" -o $force -ge 2 ]; then
     mv -f "$(mktemp)" "$privkey" || exit 2
     chmod "${chmod:-og-rwx}" "$privkey" || exit 2
     [ -z "$chown" ] || chown "$chown" "$privkey" || exit 2
-    openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2
+    openssl $genkey -rand "${rand:-/dev/urandom}" $genkeyargs >"$privkey" || exit 2
     [ "$cmd" = dkim ] && { dkiminfo; exit; }
 fi
 
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 3b3c0a5..4e85d0a 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -15,12 +15,18 @@
 - include: smart.yml    tags=smartmontools,smart
   when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')"
 - include: haveged.yml  tags=haveged,entropy
-- name: Copy genkeypair.sh
-  copy: src=usr/local/bin/genkeypair.sh
-        dest=/usr/local/bin/genkeypair.sh
+- name: Copy genkeypair.sh and gendhparam.sh
+  copy: src=usr/local/bin/{{ item }}
+        dest=/usr/local/bin/{{ item }}
         owner=root group=root
         mode=0755
   tags: genkey
+  with_items:
+    - genkeypair.sh
+    - gendhparam.sh
+- name: Generate DH parameters
+  command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem
+  tags: genkey
 - include: logging.yml  tags=logging
 - include: ntp.yml      tags=ntp
 - include: mail.yml     tags=mail,postfix
diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2
index e55eb9e..d286f27 100644
--- a/roles/lists/templates/etc/postfix/main.cf.j2
+++ b/roles/lists/templates/etc/postfix/main.cf.j2
@@ -56,8 +56,10 @@ local_header_rewrite_clients =
 
 relay_clientcerts               = cdb:$config_directory/relay_clientcerts
 smtpd_tls_security_level        = may
+smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtpd_tls_cert_file             = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
 smtpd_tls_key_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index da8ed48..eab3c0b 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -53,8 +53,10 @@ smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
 
 relay_clientcerts               = cdb:$config_directory/relay_clientcerts
 smtpd_tls_security_level        = may
+smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtpd_tls_cert_file             = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
 smtpd_tls_key_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.key
+smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
-- 
cgit v1.2.3