Am 05.11.2013 20:01, schrieb Frank Elsner: > after switching from version 2.2.6 to 2.2.7 I miss the loglines which say: > > ssl-params: Generating SSL parameters > ssl-params: SSL parameters regeneration completed > > What's going on? No more logging or no regeneration?
it is intentional i guess http://hg.dovecot.org/dovecot-2.2/rev/43ab5abeb8f0 ssl-params: Added ssl_dh_parameters_length & removed ssl_parameters_regenerate setting ssl-params: Added ssl_dh_parameters_length & removed ssl_parameters_regenerate setting. ssl_parameters_regenerate was based on some text from GNUTLS documentation a long time ago, but there's really not much point in doing it. Ideally we should also support "openssl dhparam" input files, but for now there's the ssl_dh_parameters_length setting that can be used to specify the wanted DH parameters length. If the current ssl-parameters.dat has a different length, it's regenerated. We should probably at some point support also built-in DH parameters which are returned while the ssl-params runs. -------- Original-Nachricht -------- Betreff: Re: [Dovecot] DH parameter length too small? Datum: Sat, 2 Nov 2013 15:28:33 +0200 Von: Timo Sirainen <t...@iki.fi> Antwort an: Dovecot Mailing List <dovecot@dovecot.org> An: Jörg Lübbert <j.luebb...@kaladix.org> Kopie (CC): Dovecot Mailing List <dovecot@dovecot.org> On 14.10.2013, at 19.08, Jörg Lübbert <j.luebb...@kaladix.org> wrote: > from my understanding, using 1024bit DH parameters results in a not > sufficiently secure key exchange for DH(E). Therefore I think it would > be advisable to have parameters of at least 2048bit . In fact, I would > see a great benefit in chosing parameter length arbitrarily. > > I also do not see the benefit of parameter regeneration. What were the design > goals here? http://hg.dovecot.org/dovecot-2.2/rev/43ab5abeb8f0
signature.asc
Description: OpenPGP digital signature
