ssl-params: slow startup (patch for consideration)
Based on the recent found weaknesses in DH key exchange,
http://weakdh.org/
I increased ssl_dh_parameters_length to 2048 bits, and found waited
for 5+ minutes for dovecot to come back online after a restart.
Unless you got a fast machine, the initialization of DH parameters can
exceed your patience.
Regeneration may not be a problem (if ssl_parameters_regenerate=0 or if
Dovecot uses old parameters until regeneration finishes), but for cold
starts, the server can be tied up for a few minutes creating DH parameters
while clients queue up.
I ran "openssl dhparam 2048" and got wildly varying run times of 1m45s,
11m56s, 0.4s, 2m19s, 3h23s. Most of the time was spent testing primality
of candidate p *and* (p-1)/2 -- so called "safe prime". If you're
unlucky, this can take a long time.
However, it appears "safe" primes are not what they're cracked up to be
-- they offer some guarantees, but are not safer than non-safe primes.
Creating DH parameters without requiring primality of (p-1)/2 (i.e. what
"openssl dhparam -dsaparam" does) results in much lower run-time bounds.
I cribbed some OpenSSL code to create this (untested) patch.
--------------------------------------------------------------------------------
--- iostream-openssl-params.c~ Tue Nov 3 16:08:38 2015
+++ iostream-openssl-params.c Tue Nov 3 15:43:39 2015
@@ -6,5 +6,2 @@
-/* 2 or 5. Haven't seen their difference explained anywhere, but 2 is the
- default.. */
-#define DH_GENERATOR 2
@@ -14,2 +11,3 @@
DH *dh;
+ DSA *dsa;
unsigned char *p;
@@ -17,3 +15,13 @@
- dh = DH_generate_parameters(bitsize, DH_GENERATOR, NULL, NULL);
+ dsa = DSA_generate_parameters(bitsize, NULL, 0, NULL, NULL, NULL, NULL);
+ if (dsa == NULL) {
+ *error_r = t_strdup_printf(
+ "DSA_generate_parameters(bits=%d) failed: %s",
+ bitsize, openssl_iostream_error());
+ return -1;
+ }
+
+ dh = DSA_dup_DH(dsa);
+ DSA_free(dsa);
+
if (dh == NULL) {
@@ -20,4 +28,4 @@
*error_r = t_strdup_printf(
- "DH_generate_parameters(bits=%d, gen=%d) failed: %s",
- bitsize, DH_GENERATOR, openssl_iostream_error());
+ "DSA_dup_DH() failed: %s",
+ openssl_iostream_error());
return -1;
--------------------------------------------------------------------------------
The other way to prevent long startup times is to pre-compute the DH
parameter using "openssl dhparam -out dh2048.pem 2048". I can contribute
a patch to do this (read file, convert it into ssl-parameters.dat, then
set/behave like ssl_parameters_regenerate=0), but I couldn't figure
out the best place to do this. ssl_params_if_unchanged()?
Joseph Tam
Joseph Tam:
Based on the recent found weaknesses in DH key exchange,
I increased ssl_dh_parameters_length to 2048 bits, and found waited for 5+ minutes for dovecot to come back online after a restart. Unless you got a fast machine, the initialization of DH parameters can exceed your patience.
Regeneration may not be a problem (if ssl_parameters_regenerate=0 or if Dovecot uses old parameters until regeneration finishes), but for cold starts, the server can be tied up for a few minutes creating DH parameters while clients queue up.
I ran "openssl dhparam 2048" and got wildly varying run times of 1m45s, 11m56s, 0.4s, 2m19s, 3h23s. Most of the time was spent testing primality of candidate p *and* (p-1)/2 -- so called "safe prime". If you're unlucky, this can take a long time.
However, it appears "safe" primes are not what they're cracked up to be -- they offer some guarantees, but are not safer than non-safe primes. Creating DH parameters without requiring primality of (p-1)/2 (i.e. what "openssl dhparam -dsaparam" does) results in much lower run-time bounds.
I cribbed some OpenSSL code to create this (untested) patch.
precomputing ssl-params is also possible without patching but it's a
little bit tricky
generate a temporary minimal config cat <<EOF > /tmp/ssl-params.conf ssl_dh_parameters_length = 4096 state_dir = /tmp/ EOF
calculation rm -f /tmp/ssl-parameters.dat* nice -n 19 /path/to/ssl-params -c /tmp/ssl-params.conf
move the result to your running dovecot mv /tmp/ssl-parameters.dat /path/to/ssl-parameters.dat doveadm reload rm /tmp/ssl-params.conf
Long version in german: https://andreasschulze.de/dovecot/ssl-params
Andreas
participants (2)
-
A. Schulze
-
Joseph Tam