this port brings along a dhparams file that was last re-generated in 2013;
it should be re-generated and not include any <3072 params.
per size it also only has a single param which, as far as I remember, isn't ideal either.
It's also doubtful why it has it's own in general, /etc/ssh/moduli *might* be compatible (but probably not accessible if running non-root)
At least maybe using the same source file for that could help.
Another thing that worries me here but totally doesn't relate to this port:
Did noone ever audit the ports tree as a whole for high-entropy things like this after all the NSA shit came down?
No idea who to ask about that, but I see a corpse right here and its rotten.
I didn't hear anything, and had long forgotten about the issue.
If you know how to get a security person to look into it, please go ahead.
Somehow it seems I just can't "find" the proper channel in cases like this.
I just checked and I really did replace it everywhere in the env I helped run back then:
(ansible snippet that should work everywhere follows)
- name: do not use upstream dhparams file
shell: rsync -ci /etc/ssh/moduli /usr/local/etc/proftpd/dhparams.pem
changed_when: 'rsync_result.stdout != ""'