=== modified file 'debian/control'
--- debian/control	2015-07-06 21:02:27 +0000
+++ debian/control	2015-07-09 20:32:52 +0000
@@ -41,7 +41,7 @@
 Architecture: linux-any
 Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, cryptsetup,
 	gnupg (<< 2), initramfs-tools, dpkg-dev (>=1.16.0)
-Recommends: ssh
+Recommends: ssh, gnutls-bin | openssl
 Breaks: dropbear (<= 0.53.1-1)
 Enhances: cryptsetup
 Description: do unattended reboots with an encrypted root file system

=== modified file 'debian/mandos-client.postinst'
--- debian/mandos-client.postinst	2011-10-10 20:29:58 +0000
+++ debian/mandos-client.postinst	2015-07-09 20:32:52 +0000
@@ -63,10 +63,36 @@
     fi
 }
 
+create_dh_params(){
+    if [ -r /etc/keys/mandos/client-dhparams.pem ]; then
+	return 0
+    fi
+    # Create a Diffe-Hellman parameters file
+    DHFILE="`mktemp -t mandos-client-dh-parameters.XXXXXXXXXX.pem`"
+    # First try certtool from GnuTLS
+    if ! certtool --generate-dh-params --sec-param high \
+	 --outfile "$DHFILE"; then
+	# Otherwise try OpenSSL
+	if ! openssl genpkey -genparam -algorithm DH -out "$DHFILE" \
+	     -pkeyopt dh_paramgen_prime_len:3072; then
+	    # None of the commands succeded; give up
+	    rm -- "$DHFILE"
+	    return 1
+	fi
+    fi
+    sed --in-place --expression='0,/^-----BEGIN DH PARAMETERS-----$/d' \
+	"$DHFILE"
+    sed --in-place --expression='1i-----BEGIN DH PARAMETERS-----' \
+	    "$DHFILE"
+    cp --archive "$DHFILE" /etc/keys/mandos/client-dhparams.pem
+    rm -- "$DHFILE"
+}
+
 case "$1" in
     configure)
 	add_mandos_user "$@"
 	create_key "$@"
+	create_dh_params "$@" || :
 	update_initramfs "$@"
 	;;
     abort-upgrade|abort-deconfigure|abort-remove)

=== modified file 'plugins.d/mandos-client.c'
--- plugins.d/mandos-client.c	2015-07-08 21:18:49 +0000
+++ plugins.d/mandos-client.c	2015-07-09 20:32:52 +0000
@@ -2546,6 +2546,28 @@
 	}
       }
       
+      if(strcmp(dh_params_file, PATHDIR "/client-dhparams.pem" )
+	 == 0){
+	int dhparams_fd = open(dh_params_file, O_RDONLY);
+	if(dhparams_fd == -1){
+	  perror_plus("open");
+	} else {
+	  ret = (int)TEMP_FAILURE_RETRY(fstat(dhparams_fd, &st));
+	  if(ret == -1){
+	    perror_plus("fstat");
+	  } else {
+	    if(S_ISREG(st.st_mode)
+	       and st.st_uid == 0 and st.st_gid == 0){
+	      ret = fchown(dhparams_fd, uid, gid);
+	      if(ret == -1){
+		perror_plus("fchown");
+	      }
+	    }
+	  }
+	  TEMP_FAILURE_RETRY(close(dhparams_fd));
+	}
+      }
+      
       /* Lower privileges */
       ret_errno = lower_privileges();
       if(ret_errno != 0){