[Dovecot] ssl-params regeneration with dovecot 2.2.7

Reindl Harald h.reindl at thelounge.net
Wed Nov 6 12:40:29 EET 2013

Am 05.11.2013 20:01, schrieb Frank Elsner:
> after switching from version 2.2.6 to 2.2.7 I miss the loglines which say:
> ssl-params: Generating SSL parameters
> ssl-params: SSL parameters regeneration completed
> What's going on? No more logging or no regeneration?

it is intentional i guess

ssl-params: Added ssl_dh_parameters_length & removed ssl_parameters_regenerate setting

ssl-params: Added ssl_dh_parameters_length & removed ssl_parameters_regenerate setting.
ssl_parameters_regenerate was based on some text from GNUTLS documentation a
long time ago, but there's really not much point in doing it.

Ideally we should also support "openssl dhparam" input files, but for now
there's the ssl_dh_parameters_length setting that can be used to specify the
wanted DH parameters length. If the current ssl-parameters.dat has a
different length, it's regenerated.

We should probably at some point support also built-in DH parameters which
are returned while the ssl-params runs.

-------- Original-Nachricht --------
Betreff: Re: [Dovecot] DH parameter length too small?
Datum: Sat, 2 Nov 2013 15:28:33 +0200
Von: Timo Sirainen <tss at iki.fi>
Antwort an: Dovecot Mailing List <dovecot at dovecot.org>
An: Jörg Lübbert <j.luebbert at kaladix.org>
Kopie (CC): Dovecot Mailing List <dovecot at dovecot.org>

On 14.10.2013, at 19.08, Jörg Lübbert <j.luebbert at kaladix.org> wrote:

> from my understanding, using 1024bit DH parameters results in a not
> sufficiently secure key exchange for DH(E). Therefore I think it would
> be advisable to have parameters of at least 2048bit . In fact, I would
> see a great benefit in chosing parameter length arbitrarily.
> I also do not see the benefit of parameter regeneration. What were the design goals here?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 263 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20131106/9b936264/attachment.bin>

More information about the dovecot mailing list