On Tue, Dec 02, 2014 at 10:12:22AM -0800, Darren Pilgrim
wrote:> On 12/2/2014 10:05 AM, Will Yardley wrote:
> > I had some problems the first few times I restarted with ssl-params
> > seeming to hang, but it finally works.
>
> That would have been dovecot generating the 4096-bit DH parameters. It
> can take a bit, but Dovecot is quite fast at it. If Dovecot supported
> it, you could use OpenSSL to generate tested-safe DH parameters and
> supply them by file the same way you do for Postfix, nginx, etc.
In this case, it was consuming a lot of CPU for 5+ minutes, and the
.dat.tmp file hadn't been updated since the process started, so I'm not
sure if something went wrong. strace on the ssl-params process itself
(without following child procs, anyway) didn't seem to show anything
happening. This happened for a couple of restarts.
I enabled verbose ssl logging, restarted, and it seemed to work, then
disabled verbose logging again, and it still works.
w