[Ach] Dovecot DH parameters

Leon Weber leon at leonweber.de
Tue Feb 10 14:24:57 CET 2015


I’ve been reading through dovecot’s SSL configuration manual[1].

According to that, dovecot

(1) uses 1024 bit DH parameters by default, unless configured otherwise
    in the ssl_dh_parameters_length variable, and

(2) generates the DH parameters by itself, and even regenerates that
    file every week unless disabled by ssl_parameters_regenerate

This makes me wonder:  Would it make sense to include a config statement
to change (1) to a larger value in the bettercrypto.org manual?

Regarding (2):  If I understand RFC 7457 section 2.9 correctly, it
advises against generating DH params yourself.  Hence, is it reasonable
to disable parameter regeneration and supply dovecot with a pregenerated
parameter file?

If so, would it make sense to suggest that in the bettercrypto manual as


    -- Leon.

[1]: <http://wiki2.dovecot.org/SSL/DovecotConfiguration>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20150210/0a8d8fea/attachment.sig>

More information about the Ach mailing list