From f3f8eb8fce42b28b8cb91311925d7eb61239d3a1 Mon Sep 17 00:00:00 2001 From: Till Date: Tue, 8 Nov 2022 16:12:27 +0100 Subject: [PATCH] Use central predefined 4096 bit DH params file (from Mozilla https://ssl-config.mozilla.org/ffdhe4096.txt ) instead of creation one via openssl command to speed up the installation. Thank you to @ahrasis for code suggestions. --- install/lib/installer_base.lib.php | 17 +++++++++++------ interface/ssl/dhparam4096.pem | 13 +++++++++++++ 2 files changed, 24 insertions(+), 6 deletions(-) create mode 100644 interface/ssl/dhparam4096.pem diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 6a2fe64c13..3d49c23871 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -1600,20 +1600,24 @@ class installer_base { // Check if we have a dhparams file and if not, create it if(!file_exists('/etc/dovecot/dh.pem')) { + // Create symlink to ISPConfig dhparam file + swriteln('Creating symlink /etc/dovecot/dh.pem to ISPConfig DHParam file.'); + symlink('/usr/local/ispconfig/interface/ssl/dhparam4096.pem', '/etc/dovecot/dh.pem'); + + /* swriteln('Creating new DHParams file, this takes several minutes. Do not interrupt the script.'); if(file_exists('/var/lib/dovecot/ssl-parameters.dat')) { // convert existing ssl parameters file $command = 'dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem'; caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command"); } else { - /* - Create a new dhparams file. We use 2048 bit only as it simply takes too long - on smaller systems to generate a 4096 bit dh file (> 30 minutes). If you need - a 4096 bit file, create it manually before you install ISPConfig - */ + //Create a new dhparams file. We use 2048 bit only as it simply takes too long + // on smaller systems to generate a 4096 bit dh file (> 30 minutes). If you need + // a 4096 bit file, create it manually before you install ISPConfig $command = 'openssl dhparam -out /etc/dovecot/dh.pem 2048'; caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command"); } + */ } //remove #2.3+ comment $content = file_get_contents($config_dir.'/'.$configfile); @@ -3319,7 +3323,8 @@ class installer_base { // Create symlink to ISPConfig SSL files symlink($ssl_pem_file, $pureftpd_pem); if (!file_exists("$pureftpd_dir/pure-ftpd-dhparams.pem")) - exec("cd $pureftpd_dir; openssl dhparam -out dhparam2048.pem 2048; ln -sf dhparam2048.pem pure-ftpd-dhparams.pem"); + symlink('/usr/local/ispconfig/interface/ssl/dhparam4096.pem', $pureftpd_dir.'/pure-ftpd-dhparams.pem'); + //exec("cd $pureftpd_dir; openssl dhparam -out dhparam2048.pem 2048; ln -sf dhparam2048.pem pure-ftpd-dhparams.pem"); } } diff --git a/interface/ssl/dhparam4096.pem b/interface/ssl/dhparam4096.pem new file mode 100644 index 0000000000..eed4c41e21 --- /dev/null +++ b/interface/ssl/dhparam4096.pem @@ -0,0 +1,13 @@ +-----BEGIN DH PARAMETERS----- +MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3 +7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32 +nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e +8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx +iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K +zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI= +-----END DH PARAMETERS----- \ No newline at end of file -- GitLab