[Ach] Dovecot DH parameters
Leon Weber
leon at leonweber.de
Tue Feb 10 14:24:57 CET 2015
Hi,
I’ve been reading through dovecot’s SSL configuration manual[1].
According to that, dovecot
(1) uses 1024 bit DH parameters by default, unless configured otherwise
in the ssl_dh_parameters_length variable, and
(2) generates the DH parameters by itself, and even regenerates that
file every week unless disabled by ssl_parameters_regenerate
parameter.
This makes me wonder: Would it make sense to include a config statement
to change (1) to a larger value in the bettercrypto.org manual?
Regarding (2): If I understand RFC 7457 section 2.9 correctly, it
advises against generating DH params yourself. Hence, is it reasonable
to disable parameter regeneration and supply dovecot with a pregenerated
parameter file?
If so, would it make sense to suggest that in the bettercrypto manual as
well?
Regards,
-- Leon.
[1]: <http://wiki2.dovecot.org/SSL/DovecotConfiguration>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20150210/0a8d8fea/attachment.sig>
More information about the Ach
mailing list