On 05/27/2015 09:55 AM, Rick Romero wrote:
Quoting Gedalya <gedalya@gedalya.net>:
On 05/26/2015 10:37 AM, Ron Leach wrote:
https://weakdh.org/sysadmin.html
includes altering DH parameters length to 2048, and re-specifying the allowable cipher suites - they give their suggestion.
It looks like there is an error on this page regarding regeneration. In current dovecots ssl_parameters_regenerate defaults to zero, and this means regeneration is disabled. The old default was 168 hours (1 week). The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is confusing and could be understood to mean that the current default is one week. To enable regeneration you can manually set: ssl_parameters_regenerate = 60 days or:ssl_parameters_regenerate = 1 weeks
This is really cool and all, but for a low power proxy, it takes a good 5 minutes to regenerate the dh params, and Dovecot listens the entire time.
If the socket were closed during regeneration, then a (basic) front-end load balancer wouldn't still push connections to that proxy during regen.
Rick
I wonder if what is taking 5 minutes is CPU usage or entropy starvation. Might be worth looking into.
However the entire reason why I wrote this comment was to correct the mistaken line saying "#regenerates every week". It is not at this point emphasized anywhere, including on weakdh.org, that it is actually of high importance to regenerate your DH parameters frequently. This has been discussed extensively e.g. within the exim project and other places, and on dovecot too the default was changed to not regenerate. It seems that people are mostly just saying you should have locally generated parameters unique to your site.
But to address your point, if this feature is deemed worth maintaining, it seems it would be best to spawn a thread working on the new parameters in the background and replacing them when ready.
Otherwise dovecot can just implement a dh_parameters config option like all other daemons and you can maintain that externally as you please. But we're supposed to be focusing on EC anyway :-)