[Dovecot] DH Parameter

Timo Sirainen tss at iki.fi
Sun Sep 22 06:51:18 EEST 2013


On 10.9.2013, at 22.57, Dimi - <00tj45 at gmail.com> wrote:

> Hi!
> Is there any possibility to let dovecot serve >1024 Bit DH Parameters at
> SSL/TLS-connections? Is it possible to replace
> /var/lib/dovecot/ssl-parameters.ssl with DH-parameter generated by openssl?
> 
> If not: Are there any plans to implement that?

It would be simple enough to add support for more bits, but I don't know how SSL_CTX_set_tmp_dh_callback() is supposed to select between them. Should it do it based on the keylength parameter or should it just always use the highest bits parameter? How much does using larger DH keys use CPU from server and/or client? Should this be configurable? Maybe it would be a good idea to allow OpenSSL DH parameters compatible files..

All in all: I don't know enough about SSL to be very confident on how to implement this properly.



More information about the dovecot mailing list