[Ach] 9.2.1 Dovecot, some additions, questions

Wed Nov 20 17:20:03 CET 2013

OpenSSL tells me that in the OpenSSL case, the generator of Your parameters
is "2'", in the GnuTLS case it's

70:ef:09:c2:4b:4e:83:0a:36:a0:17:94:a2:cf:dc:
09:06:c4:4d:b0:19:3d:43:78:f1:54:e5:1e:0f:3e:
d9:af:b7:80:78:62:b1:42:1b:31:17:cc:08:e2:71:
ae:44:96:cb:45:40:c8:df:e4:6a:38:6f:0f:e4:d4:
65:9e:86:c5:4b:33:4e:6a:1c:93:4b:6c:e1:c7:58:
2c:a9:b6:2d:a7:73:7f:8f:dd:73:26:d6:4a:d2:ca:
93:be:47:23:48:7e:2c:85:bd:a7:a2:cb:29:ae:78:
0e:b5:03:03:f4:7f:38:32:55:fc:50:07:0b:ea:94:
c7:0e:04:81:40:06:f8:c4

which acccounts for the difference in length and runtime (and should also
result in quite some difference in actual applications...)

regards
Manuel

On Wed, Nov 20, 2013 at 5:08 PM, Adi Kriegisch <adi at kriegisch.at> wrote:

> Hi!
>
> > > >> ssl_parameters_regenerate = 168 # Value in hours, aka 168h ≈ 1w
> > > >> Does 24h sound reasonable? More or less?
> > > > For a typical server yes, for an embedded device no.
> > > Dovecot on embedded systems is a thing?
> >
> > Firstly: does it really make sense to regularily regenerate dhparams
> > at all?
> As you want your ephemeral keys to be mostly unique (especially for many
> sessions), yes, I think so.
>
> > Then, don't forget many people are running their (internet-facing)
> > home servers on power-efficient small boxes, such as ARM-based NASes
> > or raspberry pi.
> Hmm... that doesn't do much harm, actually: one may genereate dhparams on
> any machine and then just copy them...
>
> btw. I have some strange behaviour when using gnutls's certtool: this
> commandline 'certtool --generate-dh-params --bits 1024' takes less than a
> second on my machine compared to openssl dhparams taking 20 seconds or
> more. (I run haveged if that has any influence on the issue).
> Is there some reasonable explanation for that?
>
> -- Adi
>
> PS: The output is different too (the length I mean); both 1024bit
> OpenSSL:
> -----BEGIN DH PARAMETERS-----
> MIGHAoGBAP76S+UdLQFJVqpg6lkfA3BAYwHu7ZQOnz3ZNY9x+AOhKfEmM3WHnsxY
> bEhx7aZqgkq7OaVX/Xl4BgYedghBeIZaDbj6fL8zaxy1pLQZqztVbDmrGQY6PByu
> M2NVGRMFNlthDhyYAF6jrXKjzITFHpak+sRsUWwDGfGVlbmfKRBzAgEC
> -----END DH PARAMETERS-----
>
> GNUTLS certtool:
>
> -----BEGIN DH PARAMETERS-----
> MIIBCwKBgQDoiTq1LrQs+ZMlMG6WHy/JgYZo6DX7H4yX0DjbG/v2S/qCnjNgVG0Q
> vsNCC0+DjwdrSzu3PuOsxXCYmtF9IbJGjsMpG+kN9z1unkX1hHGdqEtGZEs3Rs7A
> opuBNUaSixT29+n4WPklW1yzitSI0Pg2VrsjmfrpZPF5Muky5QwaKwKBgHDvCcJL
> ToMKNqAXlKLP3AkGxE2wGT1DePFU5R4PPtmvt4B4YrFCGzEXzAjica5ElstFQMjf
> 5Go4bw/k1GWehsVLM05qHJNLbOHHWCypti2nc3+P3XMm1krSypO+RyNIfiyFvaei
> yymueA61AwP0fzgyVfxQBwvqlMcOBIFABvjEAgIAnw==
> -----END DH PARAMETERS-----
>
> How is that possible?
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iQIVAwUBUozd63REfA6phVy/AQL4vA/+Kis16s6gtynbGeeLCnbRMDzty6CxYZ8y
> YPrAykBXTVo4flxO995rZ9SX4q6hNxMNuaRLYWtXMtMaRjvMBrL5hnJ7TZ0t87R3
> Fs5xfmHYw3yTw3DxmHKrENUEaCCjCXZY5gB1MbP8Xc6j0cdvjGHbnVcmVpMxS9YH
> +bIt+bHkgb34iBCTzHQJ7pBP2KPhnyOwP0hUvgqgx0s11jULUsFREOQuXD3Q8850
> pHE4lndFLg04nO28KRvHBhYj+tl0bp8nN9iO0N4YD+IwEUshF/rfneoz4mIHzSGV
> JQQG0AKIZuJ3t1SJGZ+enpVV2WH6390blPWP/2/PlXXXh3Xh04vbkdLdnzcCi3b8
> TnTmBUC8r1D9P2rktRK+tBEovoKi11Nv1k7faHVVm+pzodjYZPG5tbUYhuVqrbaJ
> h4+qvlZ1NB8UIuG3aRgqHuZyDeP0G9HgnkmsYm/Z8ICCsJrRhZKjpzaO2W+sRhFg
> zG5Uiv2y52PtPl8/PKhsT57PAoJeO4jaI9qzfIlCPxjcQHN3TFKshbCeJnl0UIlH
> vmdv+sI3LpFsuQ+lynJYfgevKkV/N5AtGutctIsB474bv27BpxX7mrZS9V7PzOBt
> b+9Sd92k/vV5Q30YrmUaQQohWSwIYFDqQv9aviXF2kxdCnoA7FrQovXx82gj2Pcm
> tfanuliUBuQ=
> =6qTF
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20131120/bf7891c9/attachment.html>