Changeset

--- a/core/certmanager.lua	Fri Jul 12 15:21:08 2024 +0200
+++ b/core/certmanager.lua	Fri Jul 12 15:06:42 2024 +0200
@@ -213,6 +213,18 @@
 	dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" };
 }
 
+-- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1
+local ffdhe2048 = [[
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
+]]
+
 local mozilla_ssl_configs = {
 	-- https://wiki.mozilla.org/Security/Server_Side_TLS
 	-- Version 5.7 as of 2023-07-09
@@ -225,7 +237,7 @@
 	};
 	intermediate = {
 		protocol = "tlsv1_2+";
-		dhparam = nil; -- ffdhe2048.txt
+		dhparam = ffdhe2048;
 		options = { cipher_server_preference = false };
 		ciphers = {
 			"ECDHE-ECDSA-AES128-GCM-SHA256";