From 060e92bde7236e7b4e27cb1467795448f3f8be71 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Wed, 9 Oct 2024 20:04:39 -0400
Subject: [PATCH] Hide DH params for servers using openssl DH auto

openssl SSL_CTX_set_dh_auto() or SSL_set_dh_auto() interfaces support
RFC7919 Negotiated Finite Field Diffie-Hellman Ephemeral Parameters
for Transport Layer Security (TLS)

github: closes #238
---
 src/templates/partials/apache.hbs  | 10 ++++++++++
 src/templates/partials/postfix.hbs | 11 ++++++++++-
 src/templates/partials/redis.hbs   |  7 +++++++
 3 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/src/templates/partials/apache.hbs b/src/templates/partials/apache.hbs
index c13da2ac..d0a0efae 100644
--- a/src/templates/partials/apache.hbs
+++ b/src/templates/partials/apache.hbs
@@ -14,9 +14,19 @@
     SSLEngine on
 {{#if (minver "2.4.8" form.serverVersion)}}
   {{#if output.usesDhe}}
+   {{#if (minver "2.4.52" form.serverVersion)}}
+    {{#if (minver "1.1.0" form.opensslVersion)}}
+    SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs
+    {{else}}
+
+    # {{output.dhCommand}} >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
+    SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs_and_dhparams
+    {{/if}}
+   {{else}}
 
     # {{output.dhCommand}} >> /path/to/signed_cert_and_intermediate_certs_and_dhparams
     SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs_and_dhparams
+   {{/if}}
   {{else}}
     SSLCertificateFile      /path/to/signed_cert_and_intermediate_certs
   {{/if}}
diff --git a/src/templates/partials/postfix.hbs b/src/templates/partials/postfix.hbs
index d95993d3..6ad0725e 100644
--- a/src/templates/partials/postfix.hbs
+++ b/src/templates/partials/postfix.hbs
@@ -10,13 +10,22 @@ smtpd_tls_protocols = !SSLv2, !SSLv3{{#unless (includes "TLSv1" output.protocols
 smtpd_tls_mandatory_ciphers = medium
 {{/if}}
 {{#if output.usesDhe}}
+{{#if (minver "3.7.0" form.serverVersion)}}
+{{#unless (minver "3.0.0" form.opensslVersion)}}
 
 # {{output.dhCommand}} > /path/to/dhparam
 # not actually 1024 bits, this applies to all DHE >= 1024 bits
 smtpd_tls_dh1024_param_file = /path/to/dhparam
+{{/unless}}
+{{else}}
+
+# {{output.dhCommand}} > /path/to/dhparam
+# not actually 1024 bits, this applies to all DHE >= 1024 bits
+smtpd_tls_dh1024_param_file = /path/to/dhparam
+{{/if}}
 {{/if}}
 
 {{#if output.ciphers.length}}
 tls_medium_cipherlist = {{{join output.ciphers ":"}}}
 {{/if}}
-tls_preempt_cipherlist = {{#if output.serverPreferredOrder}}yes{{else}}no{{/if}}
\ No newline at end of file
+tls_preempt_cipherlist = {{#if output.serverPreferredOrder}}yes{{else}}no{{/if}}
diff --git a/src/templates/partials/redis.hbs b/src/templates/partials/redis.hbs
index 5967740d..ab4cf5f0 100644
--- a/src/templates/partials/redis.hbs
+++ b/src/templates/partials/redis.hbs
@@ -14,8 +14,15 @@ tls-ca-cert-file /path/to/ca_certificates.crt
 tls-ca-cert-dir /path/to/ca_certificates
 
 {{#if output.usesDhe}}
+{{#if (minver "6.2.7" form.serverVersion)}}
+{{#unless (minver "3.0.0" form.opensslVersion)}}
 # {{output.dhCommand}} > /path/to/dhparam
 tls-dh-params-file /path/to/dhparam
+{{/unless}}
+{{else}}
+# {{output.dhCommand}} > /path/to/dhparam
+tls-dh-params-file /path/to/dhparam
+{{/if}}
 {{/if}}
 
 # {{form.config}} configuration