FREAK/Logjam, and SSL protocols to use

Rick Romero rick at havokmon.com
Wed May 27 13:55:13 UTC 2015


  Quoting Gedalya <gedalya at gedalya.net>:

> On 05/26/2015 10:37 AM, Ron Leach wrote:
>> https://weakdh.org/sysadmin.html
>>
>> includes altering DH parameters length to 2048, and re-specifying the
>> allowable cipher suites - they give their suggestion.
>
> It looks like there is an error on this page regarding regeneration. In
> current dovecots ssl_parameters_regenerate defaults to zero, and this
> means regeneration is disabled. The old default was 168 hours (1 week).
> The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is
> confusing and could be understood to mean that the current default is
> one week.
> To enable regeneration you can manually set:
> ssl_parameters_regenerate = 60 days
> or:ssl_parameters_regenerate = 1 weeks

This is really cool and all, but for a low power proxy, it takes a good 5
minutes to regenerate the dh params, and Dovecot listens the entire time.

If the socket were closed during regeneration, then a (basic) front-end
load balancer wouldn't still push connections to that proxy during regen.

Rick


More information about the dovecot mailing list