From bb6f7e12b1feddc5e28a6b5a41d648ef34f64887 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Mon, 21 Sep 2020 19:30:10 +0100
Subject: [PATCH] Use ffdhe2048 DH parameters from RFC 7919

Taken from latest Mozilla recomendations which prefer those
over generating your own parameters.
---
 cookbooks/ssl/files/default/dhparam.pem | 8 ++++++++
 cookbooks/ssl/recipes/default.rb        | 3 ++-
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 cookbooks/ssl/files/default/dhparam.pem

diff --git a/cookbooks/ssl/files/default/dhparam.pem b/cookbooks/ssl/files/default/dhparam.pem
new file mode 100644
index 000000000..9b182b720
--- /dev/null
+++ b/cookbooks/ssl/files/default/dhparam.pem
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
diff --git a/cookbooks/ssl/recipes/default.rb b/cookbooks/ssl/recipes/default.rb
index 4ec5e85c3..c540b9298 100644
--- a/cookbooks/ssl/recipes/default.rb
+++ b/cookbooks/ssl/recipes/default.rb
@@ -27,8 +27,9 @@ cookbook_file "/etc/ssl/certs/letsencrypt.pem" do
   backup false
 end
 
-openssl_dhparam "/etc/ssl/certs/dhparam.pem" do
+cookbook_file "/etc/ssl/certs/dhparam.pem" do
   owner "root"
   group "root"
   mode "444"
+  backup false
 end
-- 
2.45.1