[Ach] 9.2.1 Dovecot, some additions, questions
Adi Kriegisch
adi at kriegisch.at
Wed Nov 20 17:08:55 CET 2013
Hi!
> > >> ssl_parameters_regenerate = 168 # Value in hours, aka 168h ≈ 1w
> > >> Does 24h sound reasonable? More or less?
> > > For a typical server yes, for an embedded device no.
> > Dovecot on embedded systems is a thing?
>
> Firstly: does it really make sense to regularily regenerate dhparams
> at all?
As you want your ephemeral keys to be mostly unique (especially for many
sessions), yes, I think so.
> Then, don't forget many people are running their (internet-facing)
> home servers on power-efficient small boxes, such as ARM-based NASes
> or raspberry pi.
Hmm... that doesn't do much harm, actually: one may genereate dhparams on
any machine and then just copy them...
btw. I have some strange behaviour when using gnutls's certtool: this
commandline 'certtool --generate-dh-params --bits 1024' takes less than a
second on my machine compared to openssl dhparams taking 20 seconds or
more. (I run haveged if that has any influence on the issue).
Is there some reasonable explanation for that?
-- Adi
PS: The output is different too (the length I mean); both 1024bit
OpenSSL:
-----BEGIN DH PARAMETERS-----
MIGHAoGBAP76S+UdLQFJVqpg6lkfA3BAYwHu7ZQOnz3ZNY9x+AOhKfEmM3WHnsxY
bEhx7aZqgkq7OaVX/Xl4BgYedghBeIZaDbj6fL8zaxy1pLQZqztVbDmrGQY6PByu
M2NVGRMFNlthDhyYAF6jrXKjzITFHpak+sRsUWwDGfGVlbmfKRBzAgEC
-----END DH PARAMETERS-----
GNUTLS certtool:
-----BEGIN DH PARAMETERS-----
MIIBCwKBgQDoiTq1LrQs+ZMlMG6WHy/JgYZo6DX7H4yX0DjbG/v2S/qCnjNgVG0Q
vsNCC0+DjwdrSzu3PuOsxXCYmtF9IbJGjsMpG+kN9z1unkX1hHGdqEtGZEs3Rs7A
opuBNUaSixT29+n4WPklW1yzitSI0Pg2VrsjmfrpZPF5Muky5QwaKwKBgHDvCcJL
ToMKNqAXlKLP3AkGxE2wGT1DePFU5R4PPtmvt4B4YrFCGzEXzAjica5ElstFQMjf
5Go4bw/k1GWehsVLM05qHJNLbOHHWCypti2nc3+P3XMm1krSypO+RyNIfiyFvaei
yymueA61AwP0fzgyVfxQBwvqlMcOBIFABvjEAgIAnw==
-----END DH PARAMETERS-----
How is that possible?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20131120/b7bd0904/attachment.sig>
More information about the Ach
mailing list