upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol
hi sorry if question was asked already. Was reading https://wiki2.dovecot.org/Upgrading/2.3
first I'm confused on diffie hellman parameters file. I never set up
ssl-parameters.dat before (should i have? do I have one that was
automatically made for me by dovecot?)
Do I need to make a fresh dh.pem? The upgrade doc tells how to convert
ssl-parameters.dat but how to make a new one?
other question is if I copy ssl_min_protocol from example config into
my existing config is that enough? do experts on this list recommend
any tweaks that increase client requirements more than dovecot
developers are comfortable with but will ensure more secure protocol
usage?
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
On 22 June 2018 at 10:18 tai74@vfemail.net wrote:
hi sorry if question was asked already. Was reading https://wiki2.dovecot.org/Upgrading/2.3
first I'm confused on diffie hellman parameters file. I never set up
ssl-parameters.dat before (should i have? do I have one that was
automatically made for me by dovecot?)Do I need to make a fresh dh.pem? The upgrade doc tells how to convert
ssl-parameters.dat but how to make a new one?
2.2 makes the ssl-parameters.dat automatically. You can choose to either use that with the instructions given, or you can make a fresh one using openssl gendh 4096 > dh.pem
Note that this will require quite a lot of entropy, so you should probably ensure that you run it on a laptop or with virtual machine that has some entropy source/helper.
other question is if I copy ssl_min_protocol from example config into
my existing config is that enough? do experts on this list recommend
any tweaks that increase client requirements more than dovecot
developers are comfortable with but will ensure more secure protocol
usage?
ssl_min_protocols defines the minimum TLS protocol the server supports. We recommend TLSv1, but if you want, you can experiment with TLSv1.2, which will decrease client compability a bit.
Aki
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
On Fri, 22 Jun 2018, Aki Tuomi wrote:
Do I need to make a fresh dh.pem? The upgrade doc tells how to convert ssl-parameters.dat but how to make a new one?
... or you can make a fresh one using openssl gendh 4096 > dh.pem
This also works
openssl dhparam -out dh.pem 4096
Note that this will require quite a lot of entropy, so you should probably ensure that you run it on a laptop or with virtual machine that has some entropy source/helper.
It can take an extraordinary amount of time for long keys. Most of the time/entropy is taken up to produce a "safe" prime (p) such that (p-1)/2 is also prime to resist some factoring algorithms.
However, recent advances make this condition obsolete [*] and not really safer, so a much faster way to generate a DH key is
openssl dhparam -dsaparam -out dh.pem 4096
DH generation is a one time operation, so if you're paranoid and you've got time to burn, go ahead and generate the "safe" DH key.
[*] https://security.stackexchange.com/questions/42415/openvpn-dhparam)
Joseph Tam <jtam.home@gmail.com>
On Fri, 22 Jun 2018, Joseph Tam wrote:
However, recent advances make this condition obsolete [*] and not really safer, so a much faster way to generate a DH key is
openssl dhparam -dsaparam -out dh.pem 4096
DH generation is a one time operation, so if you're paranoid and you've got time to burn, go ahead and generate the "safe" DH key.
[*] https://security.stackexchange.com/questions/42415/openvpn-dhparam)
Oh, I might have to backtrack on this claim
https://www.openssl.org/news/secadv/20160128.txt
although it's beyond my understanding whether it's applicable to Dovecot.
Joseph Tam <jtam.home@gmail.com>
Thanks Joseph, Aki, but something missing from upgrade document, where
does the dh param file go? I located ssl-parameters.dat so I will put
it there.
Quoting Joseph Tam <jtam.home@gmail.com>:
On Fri, 22 Jun 2018, Joseph Tam wrote:
However, recent advances make this condition obsolete [*] and not really safer, so a much faster way to generate a DH key is
openssl dhparam -dsaparam -out dh.pem 4096
DH generation is a one time operation, so if you're paranoid and you've got time to burn, go ahead and generate the "safe" DH key.
[*] https://security.stackexchange.com/questions/42415/openvpn-dhparam)
Oh, I might have to backtrack on this claim
https://www.openssl.org/news/secadv/20160128.txt
although it's beyond my understanding whether it's applicable to Dovecot.
Joseph Tam <jtam.home@gmail.com>
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
ssl_dh=</path/to/dh.pem put it under /etc/dovecot?
---Aki TuomiDovecot oy -------- Original message --------From: tai74@vfemail.net Date: 25/06/2018 19:48 (GMT+02:00) To: dovecot@dovecot.org Subject: Re: upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol Thanks Joseph, Aki, but something missing from upgrade document, where does the dh param file go? I located ssl-parameters.dat so I will put it there.
Quoting Joseph Tam <jtam.home@gmail.com>:
On Fri, 22 Jun 2018, Joseph Tam wrote:
However, recent advances make this condition obsolete [*] and not really safer, so a much faster way to generate a DH key is
openssl dhparam -dsaparam -out dh.pem 4096
DH generation is a one time operation, so if you're paranoid and you've got time to burn, go ahead and generate the "safe" DH key.
[*] https://security.stackexchange.com/questions/42415/openvpn-dhparam)
Oh, I might have to backtrack on this claim
https://www.openssl.org/news/secadv/20160128.txt
although it's beyond my understanding whether it's applicable to Dovecot.
Joseph Tam <jtam.home@gmail.com>
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
participants (3)
-
Aki Tuomi
-
Joseph Tam
-
tai74@vfemail.net