Re: creation of ssl-parameters fails
Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300:
Just generate new parameters on some machine with good entropy source.
So, if it fails to transform (although bigger) the machine hasn't enough entropy (because it's quite new?)? I'm generating now on the original machine from last year which is still going on while a second run on one of the machines where it failed to transform is already finished. So, that would indicate it has less entropy? Can I re-use the ssl-parameters.dat for several machines or should I create a new one for each? For the time being I just copied the dh.pem over, to get going, but I guess this should only be a temporary workaround?
Thanks!
Kai
Well, on that machine it took now more than an hour. But it created the same 769 bytes file as on the other machines. And, foreseeable, that one fails to transform as well.
-rw-r--r-- 1 root root 360 Aug 7 2017 ssl-parameters.dat -rw-r--r-- 1 root root 769 Aug 19 19:25 ssl-parameters.new.dat
I cannot remember how I created the first one, I don't seem to have a record about that. Google says that dovecot would create the ssl- parameters.dat file by itself on first startup. Does or did it do that? If so, then it uses a different creation process. On that machine I had the default dovecot installed and running before going to 2.3. On the new machines I jumped right to 2.3 without ever running 2.2. Maybe 2.3 is not creating this file?
Kai
On 19 August 2018 at 19:38 Kai Schaetzl <maillists@conactive.com> wrote:
Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300:
Just generate new parameters on some machine with good entropy source.
So, if it fails to transform (although bigger) the machine hasn't enough entropy (because it's quite new?)? I'm generating now on the original machine from last year which is still going on while a second run on one of the machines where it failed to transform is already finished. So, that would indicate it has less entropy? Can I re-use the ssl-parameters.dat for several machines or should I create a new one for each? For the time being I just copied the dh.pem over, to get going, but I guess this should only be a temporary workaround?
Thanks!
Kai
The transformation probably fails because your ssl-parameters.dat file is somewhat different than what it usually is, so probably the offset should be bigger than 88. You could try using skip=152 and see if it works.
It is not strictly speaking mandatory to have per-installation dh parameters, you can reuse the generated parameters within your site.
Aki
On 19 August 2018 at 20:55 Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
On 19 August 2018 at 19:38 Kai Schaetzl <maillists@conactive.com> wrote:
Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300:
Just generate new parameters on some machine with good entropy source.
So, if it fails to transform (although bigger) the machine hasn't enough entropy (because it's quite new?)? I'm generating now on the original machine from last year which is still going on while a second run on one of the machines where it failed to transform is already finished. So, that would indicate it has less entropy? Can I re-use the ssl-parameters.dat for several machines or should I create a new one for each? For the time being I just copied the dh.pem over, to get going, but I guess this should only be a temporary workaround?
Thanks!
Kai
The transformation probably fails because your ssl-parameters.dat file is somewhat different than what it usually is, so probably the offset should be bigger than 88. You could try using skip=152 and see if it works.
It is not strictly speaking mandatory to have per-installation dh parameters, you can reuse the generated parameters within your site.
Aki
Oh and for ssl_sh= you can just use the following command, you don't need to use ssl-parameters.dat file at all.
openssl gendh 4096 > params.pem
Aki
Aki Tuomi wrote on Sun, 19 Aug 2018 20:56:28 +0300 (EEST):
openssl gendh 4096 > params.pem
Ok. I then misunderstood what's written at https://wiki.dovecot.org/SSL/DovecotConfiguration
I thought I need to create dh.pem in two steps:
- openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat
- dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
That's what I did on the first installation. ssl-parameters.dat already existed and I just used the second command to transform it. Now I thought I must have had generated ssl-parameters.dat with the first command back then. But apparently I haven't.
Now I was trying to make steps 1 and 2 and that fails because the generated ssl-parameters.dat is apparently not the format expected.
Basically openssl dhparam 4096 > /etc/dovecot/dh.pem would do the trick? I misread that from the wiki.
Before reading your reply I checked https://www.openssl.org/docs/man1.0.2/apps/dhparam.html and tried this command: openssl dhparam -outform DER -out /etc/dovecot/dh-new.pem -2 4096 (after reading Alexander's reply). It just finished and dovecot seems to be working with it, although it's got no DH header line. At least dovecot doesn't complain when starting up. Anyway, I'll now reuse the dh.pem from no. 1 on the other machines.
Thanks for the help!
Kai
On 20.08.2018 14:32, Kai Schaetzl wrote:
Aki Tuomi wrote on Sun, 19 Aug 2018 20:56:28 +0300 (EEST):
openssl gendh 4096 > params.pem Ok. I then misunderstood what's written at https://wiki.dovecot.org/SSL/DovecotConfiguration
I thought I need to create dh.pem in two steps:
- openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat
- dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem
That's what I did on the first installation. ssl-parameters.dat already existed and I just used the second command to transform it. Now I thought I must have had generated ssl-parameters.dat with the first command back then. But apparently I haven't.
Now I was trying to make steps 1 and 2 and that fails because the generated ssl-parameters.dat is apparently not the format expected.
Basically openssl dhparam 4096 > /etc/dovecot/dh.pem would do the trick? I misread that from the wiki.
Yes. ssl-parameters.dat is a file which contains the generated parameters, and the dd trick is to just to save some time, it basically extracts the DER formatted parameters there and convert them into PEM. ssl-parameters.dat file is not used by Dovecot in any way after 2.3.0
Aki
Before reading your reply I checked https://www.openssl.org/docs/man1.0.2/apps/dhparam.html and tried this command: openssl dhparam -outform DER -out /etc/dovecot/dh-new.pem -2 4096 (after reading Alexander's reply). It just finished and dovecot seems to be working with it, although it's got no DH header line. At least dovecot doesn't complain when starting up. Anyway, I'll now reuse the dh.pem from no. 1 on the other machines.
Thanks for the help!
Kai
participants (3)
-
Aki Tuomi
-
Doug Barton
-
Kai Schaetzl