nixos/dhparams: deprecate, schedule removal (95a3a84e) · Commits · nix / nixpkgs

nixos/modules/security/dhparams.nix

+74 −61

Original line number	Diff line number	Diff line
		@@ -143,7 +143,19 @@ in
		};
		};

		config = lib.mkIf (cfg.enable && cfg.stateful) {
		config = lib.mkMerge [
		(lib.mkIf cfg.enable {
		warnings = [
		''
		The `security.dhparam` module is deprecated and scheduled for removal in NixOS 26.11.
		Generating your own params has been shown to be problematic in RFC 7919 (2016).

		Remove any uses of DHE and migrate to ECDHE (RFC 8422, 2018) and
		Hybrid PQ (draft-ietf-tls-ecdhe-mlkem, 2026) key exchange algorithms.
		''
		];
		})
		(lib.mkIf (cfg.enable && cfg.stateful) {
		systemd.services = {
		dhparams-init = {
		description = "Clean Up Old Diffie-Hellman Parameters";
		@@ -205,6 +217,7 @@ in
		'';
		}
		) cfg.params;
		};
		})
		];

		}