From f3f8eb8fce42b28b8cb91311925d7eb61239d3a1 Mon Sep 17 00:00:00 2001
From: Till <t.brehm@ispconfig.org>
Date: Tue, 8 Nov 2022 16:12:27 +0100
Subject: [PATCH] Use central predefined 4096 bit DH params file (from Mozilla
https://ssl-config.mozilla.org/ffdhe4096.txt ) instead of creation one via
openssl command to speed up the installation. Thank you to @ahrasis for code
suggestions.
---
install/lib/installer_base.lib.php | 17 +++++++++++------
interface/ssl/dhparam4096.pem | 13 +++++++++++++
2 files changed, 24 insertions(+), 6 deletions(-)
create mode 100644 interface/ssl/dhparam4096.pem
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
index 6a2fe64c13..3d49c23871 100644
--- a/install/lib/installer_base.lib.php
+++ b/install/lib/installer_base.lib.php
@@ -1600,20 +1600,24 @@ class installer_base {
// Check if we have a dhparams file and if not, create it
if(!file_exists('/etc/dovecot/dh.pem')) {
+ // Create symlink to ISPConfig dhparam file
+ swriteln('Creating symlink /etc/dovecot/dh.pem to ISPConfig DHParam file.');
+ symlink('/usr/local/ispconfig/interface/ssl/dhparam4096.pem', '/etc/dovecot/dh.pem');
+
+ /*
swriteln('Creating new DHParams file, this takes several minutes. Do not interrupt the script.');
if(file_exists('/var/lib/dovecot/ssl-parameters.dat')) {
// convert existing ssl parameters file
$command = 'dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
} else {
- /*
- Create a new dhparams file. We use 2048 bit only as it simply takes too long
- on smaller systems to generate a 4096 bit dh file (> 30 minutes). If you need
- a 4096 bit file, create it manually before you install ISPConfig
- */
+ //Create a new dhparams file. We use 2048 bit only as it simply takes too long
+ // on smaller systems to generate a 4096 bit dh file (> 30 minutes). If you need
+ // a 4096 bit file, create it manually before you install ISPConfig
$command = 'openssl dhparam -out /etc/dovecot/dh.pem 2048';
caselog($command.' &> /dev/null', __FILE__, __LINE__, "EXECUTED: $command", "Failed to execute the command $command");
}
+ */
}
//remove #2.3+ comment
$content = file_get_contents($config_dir.'/'.$configfile);
@@ -3319,7 +3323,8 @@ class installer_base {
// Create symlink to ISPConfig SSL files
symlink($ssl_pem_file, $pureftpd_pem);
if (!file_exists("$pureftpd_dir/pure-ftpd-dhparams.pem"))
- exec("cd $pureftpd_dir; openssl dhparam -out dhparam2048.pem 2048; ln -sf dhparam2048.pem pure-ftpd-dhparams.pem");
+ symlink('/usr/local/ispconfig/interface/ssl/dhparam4096.pem', $pureftpd_dir.'/pure-ftpd-dhparams.pem');
+ //exec("cd $pureftpd_dir; openssl dhparam -out dhparam2048.pem 2048; ln -sf dhparam2048.pem pure-ftpd-dhparams.pem");
}
}
diff --git a/interface/ssl/dhparam4096.pem b/interface/ssl/dhparam4096.pem
new file mode 100644
index 0000000000..eed4c41e21
--- /dev/null
+++ b/interface/ssl/dhparam4096.pem
@@ -0,0 +1,13 @@
+-----BEGIN DH PARAMETERS-----
+MIICCAKCAgEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEfz9zeNVs7ZRkDW7w09N75nAI4YbRvydbmyQd62R0mkff3
+7lmMsPrBhtkcrv4TCYUTknC0EwyTvEN5RPT9RFLi103TZPLiHnH1S/9croKrnJ32
+nuhtK8UiNjoNq8Uhl5sN6todv5pC1cRITgq80Gv6U93vPBsg7j/VnXwl5B0rZp4e
+8W5vUsMWTfT7eTDp5OWIV7asfV9C1p9tGHdjzx1VA0AEh/VbpX4xzHpxNciG77Qx
+iu1qHgEtnmgyqQdgCpGBMMRtx3j5ca0AOAkpmaMzy4t6Gh25PXFAADwqTs6p+Y0K
+zAqCkc3OyX3Pjsm1Wn+IpGtNtahR9EGC4caKAH5eZV9q//////////8CAQI=
+-----END DH PARAMETERS-----
\ No newline at end of file
--
GitLab