creation of ssl-parameters fails
Alexander Dalloz
ad+lists at uni-x.org
Sun Aug 19 21:00:24 EEST 2018
Am 19.08.2018 um 17:08 schrieb Kai Schaetzl:
> I did that the last time one year ago, now on another machine with the
> same software (Ubuntu 16.04) it fails.
>
> openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat
> dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam
> -inform der > /etc/dovecot/dh.pem
> last command fails with
>
> 681+0 records in
> 681+0 records out
> 681 bytes copied, 0,00278343 s, 245 kB/s
> unable to load DH parameters
> 139858178938624:error:0D0680A8:asn1 encoding
> routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1129:
> 139858178938624:error:0D07803A:asn1 encoding
> routines:asn1_item_embed_d2i:nested asn1
> error:../crypto/asn1/tasn_dec.c:289:Type=DH
>
> ssl-parameters.dat is more than double the size as the one that worked.
> And that one I can still transform:
>
> 272+0 records in
> 272+0 records out
> 272 bytes copied, 0,00105017 s, 259 kB/s
>
> So, something with
> openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat
> must be wrong. But what?
> https://wiki.dovecot.org/SSL/DovecotConfiguration
> tells to use this command.
>
> Thanks!
>
> Kai
The DH file you run your command against is not DER formatted. Mine is
in PEM format and contains
-----BEGIN DH PARAMETERS-----
...
-----END DH PARAMETERS-----
Alexander
More information about the dovecot
mailing list