CentOS support and other fixes/changes #9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Change] added EL6/7 support [Change] removed requirement on exclusive directory structure for dhparam
add el6/7 support and fix typo
…bian and rngd on RedHat [New] added entropy service section to README.md explaining entropy services pro/con
added support for installing entropy service
…before dhparams generates
task reordering
… reduces
run time significantly at no material loss of security
ref: https://security.stackexchange.com/questions/54359/what-is-the-difference-between-diffie-hellman-generator-2-and-5
ref2: https://security.stackexchange.com/questions/95178/diffie-hellman-parameters-still-calculating-after-24-hours
[Change] add '-dsaparam' to openssl generation of DH parameters file;…
gronke
requested changes
Sep 11, 2018
There was a problem hiding this comment.
Thank you for the PR, @nexcess!
Everything looks great, but I'll await the response from security nuts like @foo2342 with their opinion on adding the -dsaparam flag to the openssl dhparam command.
Do you think using handlers to restart the entropy services could work here as well? I'm flagging my review as "Request changes" looking forward to hear back from you.
| @@ -1,9 +1,14 @@ | |||
| --- | |||
|
|
|||
| dhparam_size: 4096 | |||
| dhparam_file: "/etc/ssl/dhparam-{{ dhparams_size }}.pem" | |||
| dhparam_file: "/etc/ssl/dhparam-{{ dhparam_size }}.pem" | |||
|
|
||
| - name: The Diffie-Hellman parameter file is generated | ||
| command: "{{dhparam_openssl_binary}} dhparam -out '{{ dhparam_file }}' {{ dhparam_size }}" | ||
| command: "{{dhparam_openssl_binary}} dhparam -dsaparam -out '{{ dhparam_file }}' {{ dhparam_size }}" |
There was a problem hiding this comment.
Hey @foo2342, what's your opinion on adding the -dsaparam option.
| when: (ansible_distribution == 'Debian') or (ansible_distribution == 'Ubuntu') | ||
|
|
||
| - name: Start the haveged service | ||
| service: name=haveged enabled=yes state=restarted |
There was a problem hiding this comment.
@nexcess could we use a handler to ensure haveged is restarted after configuration changes?
| @@ -5,3 +5,6 @@ | |||
|
|
|||
| - include: install.debian.yml | |||
| when: (ansible_distribution == 'Debian') or (ansible_distribution == 'Ubuntu') | |||
|
|
|||
| - include: install.centos.yml | |||
| when: (ansible_distribution == 'CentOS') or (ansible_distribution == 'Red Hat Enterprise Linux') | |||
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[Fix] dhparam_file default value contains typo in dhparam_size
[Change] added EL6/7 support
[Change] removed requirement on exclusive directory structure for dhparam
[New] added dhparam_entropy_service for installation of haveged on Debian and rngd on RedHat
[New] added entropy service section to README.md explaining entropy services pro/con
[Change] reorder tasks so that entropy service installs if enabled before dhparams generates
[Change] add '-dsaparam' to OpenSSL generation of DH parameters file; reduces run time significantly at no material loss of security
ref: https://security.stackexchange.com/questions/54359/what-is-the-difference-between-diffie-hellman-generator-2-and-5
ref2: https://security.stackexchange.com/questions/95178/diffie-hellman-parameters-still-calculating-after-24-hours