creation of ssl-parameters fails
Aki Tuomi
aki.tuomi at dovecot.fi
Mon Aug 20 14:37:46 EEST 2018
On 20.08.2018 14:32, Kai Schaetzl wrote:
> Aki Tuomi wrote on Sun, 19 Aug 2018 20:56:28 +0300 (EEST):
>
>> openssl gendh 4096 > params.pem
> Ok. I then misunderstood what's written at
> https://wiki.dovecot.org/SSL/DovecotConfiguration
>
> I thought I need to create dh.pem in two steps:
>
> 1. openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat
> 2. dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl
> dhparam -inform der > /etc/dovecot/dh.pem
>
> That's what I did on the first installation. ssl-parameters.dat already
> existed and I just used the second command to transform it. Now I thought
> I must have had generated ssl-parameters.dat with the first command back
> then. But apparently I haven't.
>
> Now I was trying to make steps 1 and 2 and that fails because the
> generated ssl-parameters.dat is apparently not the format expected.
>
> Basically
> openssl dhparam 4096 > /etc/dovecot/dh.pem
> would do the trick? I misread that from the wiki.
Yes. ssl-parameters.dat is a file which contains the generated
parameters, and the dd trick is to just to save some time, it basically
extracts the DER formatted parameters there and convert them into PEM.
ssl-parameters.dat file is not used by Dovecot in any way after 2.3.0
Aki
> Before reading your reply I checked
> https://www.openssl.org/docs/man1.0.2/apps/dhparam.html
> and tried this command:
> openssl dhparam -outform DER -out /etc/dovecot/dh-new.pem -2 4096
> (after reading Alexander's reply).
> It just finished and dovecot seems to be working with it, although it's
> got no DH header line. At least dovecot doesn't complain when starting up.
> Anyway, I'll now reuse the dh.pem from no. 1 on the other machines.
>
> Thanks for the help!
>
> Kai
>
>
More information about the dovecot
mailing list