On 19 August 2018 at 20:55 Aki Tuomi aki.tuomi@dovecot.fi wrote:
On 19 August 2018 at 19:38 Kai Schaetzl maillists@conactive.com wrote:
Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300:
Just generate new parameters on some machine with good entropy source.
So, if it fails to transform (although bigger) the machine hasn't enough entropy (because it's quite new?)? I'm generating now on the original machine from last year which is still going on while a second run on one of the machines where it failed to transform is already finished. So, that would indicate it has less entropy? Can I re-use the ssl-parameters.dat for several machines or should I create a new one for each? For the time being I just copied the dh.pem over, to get going, but I guess this should only be a temporary workaround?
Thanks!
Kai
The transformation probably fails because your ssl-parameters.dat file is somewhat different than what it usually is, so probably the offset should be bigger than 88. You could try using skip=152 and see if it works.
It is not strictly speaking mandatory to have per-installation dh parameters, you can reuse the generated parameters within your site.
Aki
Oh and for ssl_sh= you can just use the following command, you don't need to use ssl-parameters.dat file at all.
openssl gendh 4096 > params.pem
Aki