> For a given computational effort, you get the most bang-for-the-buck by
> choosing large parameters (and checking very carefully that they are
> "safe") rather than smaller parameters (and/or checking them less
> carefully) which you then regenerate.
This discussion (on the OpenSSH mailing list)
>But when you write NOT to regenerate, are you saying that using larger primes
>makes regenerating unnecessary, or are you telling us that it's somehow
>harmful?
For a given computational effort, you get the most bang-for-the-buck by
choosing large parameters (and checking very carefully that t
On 05/27/2015 12:29 PM, Jacques Distler wrote:
It is not at this point emphasized anywhere, including on weakdh.org, that it
is actually of high importance to regenerate your DH parameters frequently.
That's not really correct.
If you're using a prime of length at least 2048 bits, then the c
>It is not at this point emphasized anywhere, including on weakdh.org, that it
>is actually of high importance to regenerate your DH parameters frequently.
That's not really correct.
If you're using a prime of length at least 2048 bits, then the corresponding
discrete-log problem is well-beyond
On 05/27/2015 12:15 PM, Ron Leach wrote:
I couldn't find an entry in 10-ssl.config that covered regeneration
(though our version is 2.2.15 and the current release, 2.2.18, may
differ).
Yea it's just not there. You can 'discover' these 'hidden' options using
doveconf -a, scattered docs, and
On 27/05/2015 05:22, Gedalya wrote:
It looks like there is an error on this page regarding regeneration.
In current dovecots ssl_parameters_regenerate defaults to zero, and
this means regeneration is disabled. The old default was 168 hours (1
week).
The language on http://wiki2.dovecot.org/SSL/D
On 05/27/2015 11:56 AM, Rick Romero wrote:
Quoting Gedalya :
On 05/27/2015 09:55 AM, Rick Romero wrote:
Quoting Gedalya :
On 05/26/2015 10:37 AM, Ron Leach wrote:
https://weakdh.org/sysadmin.html
includes altering DH parameters length to 2048, and re-specifying the
allowable cipher suit
Quoting Gedalya :
On 05/27/2015 09:55 AM, Rick Romero wrote:
Quoting Gedalya :
On 05/26/2015 10:37 AM, Ron Leach wrote:
https://weakdh.org/sysadmin.html
includes altering DH parameters length to 2048, and re-specifying the
allowable cipher suites - they give their suggestion.
It looks li
On 05/27/2015 09:55 AM, Rick Romero wrote:
Quoting Gedalya :
On 05/26/2015 10:37 AM, Ron Leach wrote:
https://weakdh.org/sysadmin.html
includes altering DH parameters length to 2048, and re-specifying the
allowable cipher suites - they give their suggestion.
It looks like there is an error
Quoting Gedalya :
On 05/26/2015 10:37 AM, Ron Leach wrote:
https://weakdh.org/sysadmin.html
includes altering DH parameters length to 2048, and re-specifying the
allowable cipher suites - they give their suggestion.
It looks like there is an error on this page regarding regeneration. In
cur
On 05/26/2015 10:37 AM, Ron Leach wrote:
https://weakdh.org/sysadmin.html
includes altering DH parameters length to 2048, and re-specifying the
allowable cipher suites - they give their suggestion.
It looks like there is an error on this page regarding regeneration. In
current dovecots ssl
On Tue, May 26, 2015 at 03:37:39PM +0100, Ron Leach wrote:
> What SSL protocols do folk on the list recommend should be allowed in
> Dovecot these days? (Actually, I mean which protocols really 'must' be
> disallowed?)
I use this:
ssl_protocols = !SSLv2 !SSLv3
ssl_cipher_list = ECDH@STRENGTH:DH@S
Am 26.05.2015 um 16:37 schrieb Ron Leach:
> # SSL protocols to use
> #ssl_protocols = !SSLv2
you should use
ssl_protocols = !SSLv2
you may use
ssl_protocols = !SSLv2 !SSLv3
if you havent any clients that can only work on SSLv3
i.e outdated Netscape etc
Best Regards
MfG Robert Schetterer
--
On 26/05/2015 15:37, Ron Leach wrote:
I was reading up on a TLS Diffie Hellman protocol weakness described here
https://weakdh.org/sysadmin.html
Sorry, wrong link. The weakness is described at the front page here
https://weakdh.org/
The page with the Dovecot advice was correct:
https:/
14 matches
Mail list logo
