On 10.9.2013, at 22.57, Dimi - 00tj45@gmail.com wrote:
Hi! Is there any possibility to let dovecot serve >1024 Bit DH Parameters at SSL/TLS-connections? Is it possible to replace /var/lib/dovecot/ssl-parameters.ssl with DH-parameter generated by openssl?
If not: Are there any plans to implement that?
It would be simple enough to add support for more bits, but I don't know how SSL_CTX_set_tmp_dh_callback() is supposed to select between them. Should it do it based on the keylength parameter or should it just always use the highest bits parameter? How much does using larger DH keys use CPU from server and/or client? Should this be configurable? Maybe it would be a good idea to allow OpenSSL DH parameters compatible files..
All in all: I don't know enough about SSL to be very confident on how to implement this properly.