Re: [Dovecot] ssl-params regeneration with dovecot 2.2.7

Am 05.11.2013 20:01, schrieb Frank Elsner:

after switching from version 2.2.6 to 2.2.7 I miss the loglines which say:

ssl-params: Generating SSL parameters ssl-params: SSL parameters regeneration completed

What's going on? No more logging or no regeneration?

it is intentional i guess

http://hg.dovecot.org/dovecot-2.2/rev/43ab5abeb8f0 ssl-params: Added ssl_dh_parameters_length & removed ssl_parameters_regenerate setting

ssl-params: Added ssl_dh_parameters_length & removed ssl_parameters_regenerate setting. ssl_parameters_regenerate was based on some text from GNUTLS documentation a long time ago, but there's really not much point in doing it.

Ideally we should also support "openssl dhparam" input files, but for now there's the ssl_dh_parameters_length setting that can be used to specify the wanted DH parameters length. If the current ssl-parameters.dat has a different length, it's regenerated.

We should probably at some point support also built-in DH parameters which are returned while the ssl-params runs.

-------- Original-Nachricht -------- Betreff: Re: [Dovecot] DH parameter length too small? Datum: Sat, 2 Nov 2013 15:28:33 +0200 Von: Timo Sirainen tss@iki.fi Antwort an: Dovecot Mailing List dovecot@dovecot.org An: Jörg Lübbert j.luebbert@kaladix.org Kopie (CC): Dovecot Mailing List dovecot@dovecot.org

On 14.10.2013, at 19.08, Jörg Lübbert j.luebbert@kaladix.org wrote:

from my understanding, using 1024bit DH parameters results in a not sufficiently secure key exchange for DH(E). Therefore I think it would be advisable to have parameters of at least 2048bit . In fact, I would see a great benefit in chosing parameter length arbitrarily.

I also do not see the benefit of parameter regeneration. What were the design goals here?

http://hg.dovecot.org/dovecot-2.2/rev/43ab5abeb8f0