Hide DH params for servers using openssl DH auto

openssl SSL_CTX_set_dh_auto() or SSL_set_dh_auto() interfaces support RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS) github: closes mozilla#238
gstrauss · Oct 10, 2024 · 060e92b · 060e92b
1 parent 886b62d
commit 060e92b
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 1 deletion.
diff --git a/src/templates/partials/apache.hbs b/src/templates/partials/apache.hbs
@@ -14,9 +14,19 @@
     SSLEngine on
 {{#if (minver "2.4.8" form.serverVersion)}}
   {{#if output.usesDhe}}
+   {{#if (minver "2.4.52" form.serverVersion)}}
+    {{#if (minver "1.1.0" form.opensslVersion)}}
+    SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs
+    {{else}}
+
+    # {{output.dhCommand}} >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
+    SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs_and_dhparams
+    {{/if}}
+   {{else}}
 
     # {{output.dhCommand}} >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
     SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs_and_dhparams
+   {{/if}}
   {{else}}
     SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs
   {{/if}}

diff --git a/src/templates/partials/postfix.hbs b/src/templates/partials/postfix.hbs
@@ -10,13 +10,22 @@ smtpd_tls_protocols = !SSLv2, !SSLv3{{#unless (includes "TLSv1" output.protocols
 smtpd_tls_mandatory_ciphers = medium
 {{/if}}
 {{#if output.usesDhe}}
+{{#if (minver "3.7.0" form.serverVersion)}}
+{{#unless (minver "3.0.0" form.opensslVersion)}}
 
 # {{output.dhCommand}} > /path/to/dhparam
 # not actually 1024 bits, this applies to all DHE >= 1024 bits
 smtpd_tls_dh1024_param_file = /path/to/dhparam
+{{/unless}}
+{{else}}
+
+# {{output.dhCommand}} > /path/to/dhparam
+# not actually 1024 bits, this applies to all DHE >= 1024 bits
+smtpd_tls_dh1024_param_file = /path/to/dhparam
+{{/if}}
 {{/if}}
 
 {{#if output.ciphers.length}}
 tls_medium_cipherlist = {{{join output.ciphers ":"}}}
 {{/if}}
-tls_preempt_cipherlist = {{#if output.serverPreferredOrder}}yes{{else}}no{{/if}}
+tls_preempt_cipherlist = {{#if output.serverPreferredOrder}}yes{{else}}no{{/if}}
diff --git a/src/templates/partials/redis.hbs b/src/templates/partials/redis.hbs
@@ -14,8 +14,15 @@ tls-ca-cert-file /path/to/ca_certificates.crt
 tls-ca-cert-dir /path/to/ca_certificates
 
 {{#if output.usesDhe}}
+{{#if (minver "6.2.7" form.serverVersion)}}
+{{#unless (minver "3.0.0" form.opensslVersion)}}
 # {{output.dhCommand}} > /path/to/dhparam
 tls-dh-params-file /path/to/dhparam
+{{/unless}}
+{{else}}
+# {{output.dhCommand}} > /path/to/dhparam
+tls-dh-params-file /path/to/dhparam
+{{/if}}
 {{/if}}
 
 # {{form.config}} configuration