creation of ssl-parameters fails
Aki Tuomi
aki.tuomi at dovecot.fi
Sun Aug 19 20:56:28 EEST 2018
> On 19 August 2018 at 20:55 Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>
>
>
> > On 19 August 2018 at 19:38 Kai Schaetzl <maillists at conactive.com> wrote:
> >
> >
> > Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300:
> >
> > > Just generate new parameters on some machine with good entropy source.
> >
> > So, if it fails to transform (although bigger) the machine hasn't enough
> > entropy (because it's quite new?)? I'm generating now on the original
> > machine from last year which is still going on while a second run on one
> > of the machines where it failed to transform is already finished. So, that
> > would indicate it has less entropy?
> > Can I re-use the ssl-parameters.dat for several machines or should I
> > create a new one for each?
> > For the time being I just copied the dh.pem over, to get going, but I
> > guess this should only be a temporary workaround?
> >
> > Thanks!
> >
> > Kai
> >
> >
>
> The transformation probably fails because your ssl-parameters.dat file is somewhat different than what it usually is, so probably the offset should be bigger than 88. You could try using skip=152 and see if it works.
>
> It is not strictly speaking mandatory to have per-installation dh parameters, you can reuse the generated parameters within your site.
>
> Aki
Oh and for ssl_sh= you can just use the following command, you don't need to use ssl-parameters.dat file at all.
openssl gendh 4096 > params.pem
Aki
More information about the dovecot
mailing list