Move /etc/ssl/private/dhparams.pem to /etc/ssl/dhparams.pem and make it public.

Ideally we we should also increase the Diffie-Hellman group size from
2048-bit to 3072-bit, as per ENISA 2014 report.

    https://www.enisa.europa.eu/publications/algorithms-key-size-and-parameters-report-2014

But we postpone that for now until we are reasonably certain that older
client won't be left out.

8 files changed, 11 insertions, 11 deletions

diff --git a/roles/IMAP/templates/etc/postfix/main.cf.j2 b/roles/IMAP/templates/etc/postfix/main.cf.j2
index 99daef4..42afd2c 100644
--- a/roles/IMAP/templates/etc/postfix/main.cf.j2
+++ b/roles/IMAP/templates/etc/postfix/main.cf.j2
@@ -50,41 +50,41 @@ default_transport = error:5.1.1 Transport unavailable
 virtual_transport       = lmtp:unix:private/dovecot-lmtpd
 lmtp_bind_address       = 127.0.0.1
 virtual_mailbox_domains = static:all
 virtual_mailbox_maps    = static:all
 #transport_maps          = cdb:$config_directory/transport
 
 # Restore the original envelope recipient
 relay_domains               =
 recipient_canonical_classes = envelope_recipient
 recipient_canonical_maps    = pcre:$config_directory/recipient_canonical.pcre
 
 # Don't rewrite remote headers
 local_header_rewrite_clients =
 
 
 relay_clientcerts               = cdb:$config_directory/relay_clientcerts
 smtpd_tls_security_level        = may
 smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtpd_tls_cert_file             = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
 smtpd_tls_key_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
+smtpd_tls_dh1024_param_file     = /etc/ssl/dhparams.pem
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
 smtpd_tls_session_cache_timeout = 3600s
 smtpd_tls_fingerprint_digest    = sha256
 
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 smtpd_client_restrictions =
     permit_mynetworks
     permit_tls_clientcerts
     # We are the only ones using this proxy, but if things go wrong we
     # want to know why
     defer
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index 6c2a9bd..ae64b22 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -62,41 +62,41 @@ header_checks  = pcre:$config_directory/anonymize_sender.pcre
 
 
 # TLS
 {% if 'out' in group_names %}
 smtp_tls_security_level         = none
 smtp_bind_address               = 127.0.0.1
 {% else %}
 smtp_tls_security_level         = encrypt
 smtp_tls_exclude_ciphers        = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
 smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
 smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
 smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
 smtp_tls_fingerprint_digest     = sha256
 {% endif %}
 
 smtpd_tls_security_level        = encrypt
 smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtpd_tls_cert_file             = /etc/postfix/ssl/smtp.fripost.org.pem
 smtpd_tls_key_file              = /etc/postfix/ssl/smtp.fripost.org.key
-smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
+smtpd_tls_dh1024_param_file     = /etc/ssl/dhparams.pem
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
 
 # SASL
 smtpd_sasl_auth_enable          = yes
 smtpd_sasl_authenticated_header = no
 smtpd_sasl_local_domain         =
 smtpd_sasl_exceptions_networks  = $mynetworks
 smtpd_sasl_security_options     = noanonymous, noplaintext
 smtpd_sasl_tls_security_options = noanonymous
 broken_sasl_auth_clients        = yes
 smtpd_sasl_type                 = dovecot
 smtpd_sasl_path                 = unix:private/dovecot-auth
 
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index 46af8e9..caaaf3f 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -79,41 +79,41 @@ reserved-alias_destination_recipient_limit = 1
 smtp_data_done_timeout           = 1200s
 
 
 {% if 'out' in group_names %}
 smtp_tls_security_level         = none
 smtp_bind_address               = 127.0.0.1
 {% else %}
 smtp_tls_security_level         = encrypt
 smtp_tls_exclude_ciphers        = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtp_tls_cert_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
 smtp_tls_key_file               = /etc/postfix/ssl/{{ ansible_fqdn }}.key
 smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
 smtp_tls_policy_maps            = cdb:/etc/postfix/tls_policy
 smtp_tls_fingerprint_digest     = sha256
 {% endif %}
 
 smtpd_tls_security_level        = may
 smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtpd_tls_cert_file             = /etc/postfix/ssl/mx.fripost.org.pem
 smtpd_tls_key_file              = /etc/postfix/ssl/mx.fripost.org.key
-smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
+smtpd_tls_dh1024_param_file     = /etc/ssl/dhparams.pem
 smtpd_tls_CApath                = /etc/ssl/certs/
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
 
 
 # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix
 # http://www.howtoforge.com/block_spam_at_mta_level_postfix
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 # UCE control
 invalid_hostname_reject_code        = 554
 multi_recipient_bounce_reject_code  = 554
 non_fqdn_reject_code                = 554
 relay_domains_reject_code           = 554
 unknown_address_reject_code         = 554
 unknown_client_reject_code          = 554
diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf
index 1d40ce6..4af4d53 100644
--- a/roles/common-web/files/etc/nginx/snippets/ssl.conf
+++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf
@@ -1,30 +1,30 @@
 # https://wiki.mozilla.org/Security/Server_Side_TLS
 # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate
 
 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
 # ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem
 
 ssl on;
 
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
 ssl_session_tickets off;
 
 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
-ssl_dhparam /etc/ssl/private/dhparams.pem;
+ssl_dhparam /etc/ssl/dhparams.pem;
 
 # intermediate configuration. tweak to your needs.
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 ssl_prefer_server_ciphers on;
 
 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
 add_header Strict-Transport-Security 'max-age=15768000; includeSubdomains';
 
 # OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them
 # https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf
 ssl_stapling on;
 ssl_stapling_verify on;
 
 # verify chain of trust of OCSP response using Root CA and Intermediate certs
 ssl_trusted_certificate /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem;
diff --git a/roles/common/files/usr/local/bin/gendhparam.sh b/roles/common/files/usr/local/bin/gendhparam.sh
index 84b7d56..a82a8a5 100755
--- a/roles/common/files/usr/local/bin/gendhparam.sh
+++ b/roles/common/files/usr/local/bin/gendhparam.sh
@@ -1,11 +1,10 @@
 #!/bin/sh
 
 set -ue
 PATH=/usr/bin:/bin
 
-privkey="$1"
+out="$1"
 bits="${2:-2048}"
-rand=
 
-install --mode=0600 /dev/null "$privkey"
-openssl dhparam -rand "${rand:-/dev/urandom}" "$bits" >"$privkey"
+install --mode=0644 /dev/null "$out"
+openssl dhparam "$bits" >"$out"
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 14cb7ae..1226d37 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -27,41 +27,42 @@
   tags: fail2ban
 - include: smart.yml
   tags:
     - smartmontools
     - smart
   when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')"
 - include: haveged.yml
   tags:
     - haveged
     - entropy
 - name: Copy genkeypair.sh and gendhparam.sh
   copy: src=usr/local/bin/{{ item }}
         dest=/usr/local/bin/{{ item }}
         owner=root group=root
         mode=0755
   tags: genkey
   with_items:
     - genkeypair.sh
     - gendhparam.sh
 - name: Generate DH parameters
-  command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem
+  command: gendhparam.sh /etc/ssl/dhparams.pem 2048
+           creates=/etc/ssl/dhparams.pem
   tags: genkey
 - include: logging.yml
   tags: logging
 - include: ntp.yml
   tags: ntp
 - include: mail.yml
   tags:
     - mail
     - postfix
 - include: bacula.yml
   tags:
     - bacula-fd
     - bacula
 - include: munin-node.yml
   tags:
     - munin-node
     - munin
 - include: munin-node-ssl.yml
   when: "'munin-master' not in group_names"
   tags:
diff --git a/roles/lists/templates/etc/postfix/main.cf.j2 b/roles/lists/templates/etc/postfix/main.cf.j2
index 6bfb46f..75c5a59 100644
--- a/roles/lists/templates/etc/postfix/main.cf.j2
+++ b/roles/lists/templates/etc/postfix/main.cf.j2
@@ -42,41 +42,41 @@ message_size_limit  = 0
 recipient_delimiter = +
 
 # No relay: this server is inbound-only
 relay_transport   = error:5.1.1 Relay unavailable
 default_transport = error:5.1.1 Transport unavailable
 
 
 relay_domains                     = sympa.$mydomain
 transport_maps                    = cdb:$config_directory/transport
 sympa_destination_recipient_limit = 1
 
 # Don't rewrite remote headers
 local_header_rewrite_clients =
 
 
 relay_clientcerts               = cdb:$config_directory/relay_clientcerts
 smtpd_tls_security_level        = may
 smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtpd_tls_cert_file             = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
 smtpd_tls_key_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
+smtpd_tls_dh1024_param_file     = /etc/ssl/dhparams.pem
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
 smtpd_tls_session_cache_timeout = 3600s
 smtpd_tls_fingerprint_digest    = sha256
 
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 smtpd_client_restrictions =
     permit_mynetworks
     permit_tls_clientcerts
     # We are the only ones using this proxy, but if things go wrong we
     # want to know why
     defer
 
 smtpd_helo_required     = yes
 smtpd_helo_restrictions =
diff --git a/roles/out/templates/etc/postfix/main.cf.j2 b/roles/out/templates/etc/postfix/main.cf.j2
index e50b928..7a18e25 100644
--- a/roles/out/templates/etc/postfix/main.cf.j2
+++ b/roles/out/templates/etc/postfix/main.cf.j2
@@ -39,41 +39,41 @@ local_recipient_maps =
 
 message_size_limit  = 0
 recipient_delimiter = +
 
 relay_domains       =
 relay_transport     = error:5.3.2 Relay Transport unavailable
 
 # All header rewriting happens upstream
 local_header_rewrite_clients =
 
 
 smtp_tls_security_level         = may
 smtp_tls_note_starttls_offer    = yes
 smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
 
 relay_clientcerts               = cdb:$config_directory/relay_clientcerts
 smtpd_tls_security_level        = may
 smtpd_tls_exclude_ciphers       = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
 smtpd_tls_cert_file             = /etc/postfix/ssl/{{ ansible_fqdn }}.pem
 smtpd_tls_key_file              = /etc/postfix/ssl/{{ ansible_fqdn }}.key
-smtpd_tls_dh1024_param_file     = /etc/ssl/private/dhparams.pem
+smtpd_tls_dh1024_param_file     = /etc/ssl/dhparams.pem
 smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
 smtpd_tls_received_header       = yes
 smtpd_tls_ask_ccert             = yes
 smtpd_tls_session_cache_timeout = 3600s
 smtpd_tls_fingerprint_digest    = sha256
 
 
 strict_rfc821_envelopes = yes
 smtpd_delay_reject      = yes
 disable_vrfy_command    = yes
 
 address_verify_sender            = $double_bounce_sender@$mydomain
 unverified_recipient_defer_code  = 250
 unverified_recipient_reject_code = 550
 
 smtpd_client_restrictions =
     permit_mynetworks
     permit_tls_clientcerts
     # We are the only ones using this proxy, but if things go wrong we
     # want to know why