Corrupted SSL parameters file in state_dir with HG 267bca7a62fb

Reindl Harald h.reindl at thelounge.net
Fri Oct 31 15:17:03 UTC 2014 

Am 31.10.2014 um 15:51 schrieb Teemu Huovila:
> On 10/31/2014 12:13 PM, Thomas Leuxner wrote:
>> with the latest HG 267bca7a62fb the following error started to appear in the logs:
>>
>> Oct 31 09:39:07 nihlus dovecot: master: Dovecot v2.2.15 (267bca7a62fb) starting up for imap, lmtp
>> [...]
>> Oct 31 10:10:52 nihlus dovecot: lmtp(20876): Error: Corrupted SSL parameters file in state_dir: ssl-parameters.dat - disabling SSL 360
>> Oct 31 10:10:52 nihlus dovecot: lmtp(20876): Error: Couldn't initialize SSL parameters, disabling SSL
>> Oct 31 10:10:52 nihlus dovecot: lmtp(20876): Connect from local
>>
>> This most likely has been introduced with a commit after the previous build installed (aa5dde56424f). I did not find options to disable SSL for LMTP either, as in my setup I'm using a UNIX socket.
> There seems to be an issue with setting a non-default, e.g. 2048, value for ssl_dh_parameters_length. A work around is to revert
> to the default 1024

what is a joke these days - what is "non-default" in case of 2048?
frankly you need at least 3072 for AES128 and 2048 *is default*
go out and by a 1024 bit certificate - you won't get it
the days of 1024 in context of encryption are gone

* httpd can deal for a long time with larger keys and dh-params
* openvpn the same

Thu Oct 30 16:11:12 2014 Diffie-Hellman initialized with 4096 bit key
Thu Oct 30 15:11:24 2014 62.178.103.85:59278 Control Channel: TLSv1, 
cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Thu Oct 30 16:11:24 2014 client/62.178.103.85:59278 Control Channel: 
TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA
Thu Oct 30 17:11:25 2014 client/62.178.103.85:59278 Control Channel: 
TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://dovecot.org/pipermail/dovecot/attachments/20141031/afd3259d/attachment.sig>

More information about the dovecot mailing list