ssl-params: slow startup (patch for consideration)

A. Schulze sca at
Wed Nov 4 13:22:07 UTC 2015

Joseph Tam:

> Based on the recent found weaknesses in DH key exchange,
> I increased ssl_dh_parameters_length to 2048 bits, and found waited
> for 5+ minutes for dovecot to come back online after a restart.
> Unless you got a fast machine, the initialization of DH parameters can
> exceed your patience.
> Regeneration may not be a problem (if ssl_parameters_regenerate=0 or if
> Dovecot uses old parameters until regeneration finishes), but for cold
> starts, the server can be tied up for a few minutes creating DH parameters
> while clients queue up.
> I ran "openssl dhparam 2048" and got wildly varying run times of 1m45s,
> 11m56s, 0.4s, 2m19s, 3h23s.  Most of the time was spent testing primality
> of candidate p *and* (p-1)/2 -- so called "safe prime".  If you're
> unlucky, this can take a long time.
> However, it appears "safe" primes are not what they're cracked up to be
> -- they offer some guarantees, but are not safer than non-safe primes.
> Creating DH parameters without requiring primality of (p-1)/2 (i.e. what
> "openssl dhparam -dsaparam" does) results in much lower run-time bounds.
> I cribbed some OpenSSL code to create this (untested) patch.

precomputing ssl-params is also possible without patching but it's a  
little bit tricky

1. generate a temporary minimal config
cat <<EOF > /tmp/ssl-params.conf
ssl_dh_parameters_length = 4096
state_dir = /tmp/

2. calculation
rm -f /tmp/ssl-parameters.dat*
nice -n 19 /path/to/ssl-params -c /tmp/ssl-params.conf

3. move the result to your running dovecot
mv /tmp/ssl-parameters.dat /path/to/ssl-parameters.dat
doveadm reload
rm /tmp/ssl-params.conf

Long version in german:


More information about the dovecot mailing list