On Tue, Dec 02, 2014 at 10:12:22AM -0800, Darren Pilgrim wrote:
On 12/2/2014 10:05 AM, Will Yardley wrote:
I had some problems the first few times I restarted with ssl-params seeming to hang, but it finally works.
That would have been dovecot generating the 4096-bit DH parameters. It can take a bit, but Dovecot is quite fast at it. If Dovecot supported it, you could use OpenSSL to generate tested-safe DH parameters and supply them by file the same way you do for Postfix, nginx, etc.
In this case, it was consuming a lot of CPU for 5+ minutes, and the .dat.tmp file hadn't been updated since the process started, so I'm not sure if something went wrong. strace on the ssl-params process itself (without following child procs, anyway) didn't seem to show anything happening. This happened for a couple of restarts.
I enabled verbose ssl logging, restarted, and it seemed to work, then disabled verbose logging again, and it still works.
w