The "Logjam Attack" (CVE-2015-4000) exposed several weaknesses in the Diffie-Hellman (DH) key exchange. To help mitigate the "Logjam Attack," PE ships with a pre-generated 2048 bit Diffie-Hellman param file. In the case that you don't want to use the default DH param file, you can generate your own.
<PROXY-CUSTOM-dhparam>.pemcan be replaced with any file name, except
dhparam_puppetproxy.pem, as this is the default file name used by PE.
On your primary server, run:
/opt/puppetlabs/puppet/bin/openssl dhparam -out /etc/puppetlabs/nginx/<PROXY-CUSTOM-dhparam>.pem 2048Note: After running this command, PE can take several minutes to complete this step.
pe.conffile (located at
/etc/puppetlabs/enterprise/conf.d/pe.conf) and add the following parameter and value:
puppet agent -t.