tai74 at vfemail.net
2018-Jun-22 07:18 UTC
upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol
hi sorry if question was asked already. Was reading https://wiki2.dovecot.org/Upgrading/2.3 first I'm confused on diffie hellman parameters file. I never set up ssl-parameters.dat before (should i have? do I have one that was automatically made for me by dovecot?) Do I need to make a fresh dh.pem? The upgrade doc tells how to convert ssl-parameters.dat but how to make a new one? other question is if I copy ssl_min_protocol from example config into my existing config is that enough? do experts on this list recommend any tweaks that increase client requirements more than dovecot developers are comfortable with but will ensure more secure protocol usage? ------------------------------------------------- ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
> On 22 June 2018 at 10:18 tai74 at vfemail.net wrote: > > > > hi sorry if question was asked already. Was reading > https://wiki2.dovecot.org/Upgrading/2.3 > > first I'm confused on diffie hellman parameters file. I never set up > ssl-parameters.dat before (should i have? do I have one that was > automatically made for me by dovecot?) > > Do I need to make a fresh dh.pem? The upgrade doc tells how to convert > ssl-parameters.dat but how to make a new one? >2.2 makes the ssl-parameters.dat automatically. You can choose to either use that with the instructions given, or you can make a fresh one using openssl gendh 4096 > dh.pem Note that this will require quite a lot of entropy, so you should probably ensure that you run it on a laptop or with virtual machine that has some entropy source/helper.> other question is if I copy ssl_min_protocol from example config into > my existing config is that enough? do experts on this list recommend > any tweaks that increase client requirements more than dovecot > developers are comfortable with but will ensure more secure protocol > usage? >ssl_min_protocols defines the minimum TLS protocol the server supports. We recommend TLSv1, but if you want, you can experiment with TLSv1.2, which will decrease client compability a bit. Aki> > ------------------------------------------------- > > ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! > $24.95 ONETIME Lifetime accounts with Privacy Features! > 15GB disk! No bandwidth quotas! > Commercial and Bulk Mail Options!
On Fri, 22 Jun 2018, Aki Tuomi wrote:>> Do I need to make a fresh dh.pem? The upgrade doc tells how to convert >> ssl-parameters.dat but how to make a new one? > > ... or you can make a fresh one using openssl > gendh 4096 > dh.pemThis also works openssl dhparam -out dh.pem 4096> Note that this will require quite a lot of entropy, so you should > probably ensure that you run it on a laptop or with virtual machine > that has some entropy source/helper.It can take an extraordinary amount of time for long keys. Most of the time/entropy is taken up to produce a "safe" prime (p) such that (p-1)/2 is also prime to resist some factoring algorithms. However, recent advances make this condition obsolete [*] and not really safer, so a much faster way to generate a DH key is openssl dhparam -dsaparam -out dh.pem 4096 DH generation is a one time operation, so if you're paranoid and you've got time to burn, go ahead and generate the "safe" DH key. [*] https://security.stackexchange.com/questions/42415/openvpn-dhparam) Joseph Tam <jtam.home at gmail.com>