Am 31.10.2014 um 15:51 schrieb Teemu Huovila:
On 10/31/2014 12:13 PM, Thomas Leuxner wrote:
with the latest HG 267bca7a62fb the following error started to appear in the logs:
Oct 31 09:39:07 nihlus dovecot: master: Dovecot v2.2.15 (267bca7a62fb) starting up for imap, lmtp [...] Oct 31 10:10:52 nihlus dovecot: lmtp(20876): Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360 Oct 31 10:10:52 nihlus dovecot: lmtp(20876): Error: Couldn't initialize SSL parameters, disabling SSL Oct 31 10:10:52 nihlus dovecot: lmtp(20876): Connect from local
This most likely has been introduced with a commit after the previous build installed (aa5dde56424f). I did not find options to disable SSL for LMTP either, as in my setup I'm using a UNIX socket. There seems to be an issue with setting a non-default, e.g. 2048, value for ssl_dh_parameters_length. A work around is to revert to the default 1024
what is a joke these days - what is "non-default" in case of 2048? frankly you need at least 3072 for AES128 and 2048 *is default* go out and by a 1024 bit certificate - you won't get it the days of 1024 in context of encryption are gone
- httpd can deal for a long time with larger keys and dh-params
- openvpn the same
Thu Oct 30 16:11:12 2014 Diffie-Hellman initialized with 4096 bit key Thu Oct 30 15:11:24 2014 62.178.103.85:59278 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA Thu Oct 30 16:11:24 2014 client/62.178.103.85:59278 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA Thu Oct 30 17:11:25 2014 client/62.178.103.85:59278 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA