On 10.9.2013, at 22.57, Dimi - <00tj45 at gmail.com> wrote:
> Hi!
> Is there any possibility to let dovecot serve >1024 Bit DH Parameters at
> SSL/TLS-connections? Is it possible to replace
> /var/lib/dovecot/ssl-parameters.ssl with DH-parameter generated by openssl?
>
> If not: Are there any plans to implement that?
It would be simple enough to add support for more bits, but I don't know how
SSL_CTX_set_tmp_dh_callback() is supposed to select between them. Should it do
it based on the keylength parameter or should it just always use the highest
bits parameter? How much does using larger DH keys use CPU from server and/or
client? Should this be configurable? Maybe it would be a good idea to allow
OpenSSL DH parameters compatible files..
All in all: I don't know enough about SSL to be very confident on how to
implement this properly.