Quoting Gedalya <gedalya at gedalya.net>:> On 05/26/2015 10:37 AM, Ron Leach wrote: >> https://weakdh.org/sysadmin.html >> >> includes altering DH parameters length to 2048, and re-specifying the >> allowable cipher suites - they give their suggestion. > > It looks like there is an error on this page regarding regeneration. In > current dovecots ssl_parameters_regenerate defaults to zero, and this > means regeneration is disabled. The old default was 168 hours (1 week). > The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is > confusing and could be understood to mean that the current default is > one week. > To enable regeneration you can manually set: > ssl_parameters_regenerate = 60 days > or:ssl_parameters_regenerate = 1 weeksThis is really cool and all, but for a low power proxy, it takes a good 5 minutes to regenerate the dh params, and Dovecot listens the entire time. If the socket were closed during regeneration, then a (basic) front-end load balancer wouldn't still push connections to that proxy during regen. Rick
On 05/27/2015 09:55 AM, Rick Romero wrote:> Quoting Gedalya <gedalya at gedalya.net>: > >> On 05/26/2015 10:37 AM, Ron Leach wrote: >>> https://weakdh.org/sysadmin.html >>> >>> includes altering DH parameters length to 2048, and re-specifying the >>> allowable cipher suites - they give their suggestion. >> >> It looks like there is an error on this page regarding regeneration. In >> current dovecots ssl_parameters_regenerate defaults to zero, and this >> means regeneration is disabled. The old default was 168 hours (1 week). >> The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is >> confusing and could be understood to mean that the current default is >> one week. >> To enable regeneration you can manually set: >> ssl_parameters_regenerate = 60 days >> or:ssl_parameters_regenerate = 1 weeks > > This is really cool and all, but for a low power proxy, it takes a good 5 > minutes to regenerate the dh params, and Dovecot listens the entire time. > > If the socket were closed during regeneration, then a (basic) front-end > load balancer wouldn't still push connections to that proxy during regen. > > RickI wonder if what is taking 5 minutes is CPU usage or entropy starvation. Might be worth looking into. However the entire reason why I wrote this comment was to correct the mistaken line saying "#regenerates every week". It is not at this point emphasized anywhere, including on weakdh.org, that it is actually of high importance to regenerate your DH parameters frequently. This has been discussed extensively e.g. within the exim project and other places, and on dovecot too the default was changed to not regenerate. It seems that people are mostly just saying you should have locally generated parameters unique to your site. But to address your point, if this feature is deemed worth maintaining, it seems it would be best to spawn a thread working on the new parameters in the background and replacing them when ready. Otherwise dovecot can just implement a dh_parameters config option like all other daemons and you can maintain that externally as you please. But we're supposed to be focusing on EC anyway :-)
Quoting Gedalya <gedalya at gedalya.net>:> On 05/27/2015 09:55 AM, Rick Romero wrote: >> Quoting Gedalya <gedalya at gedalya.net>: >> >>> On 05/26/2015 10:37 AM, Ron Leach wrote: >>>> https://weakdh.org/sysadmin.html >>>> >>>> includes altering DH parameters length to 2048, and re-specifying the >>>> allowable cipher suites - they give their suggestion. >>> >>> It looks like there is an error on this page regarding regeneration. In >>> current dovecots ssl_parameters_regenerate defaults to zero, and this >>> means regeneration is disabled. The old default was 168 hours (1 week). >>> The language on http://wiki2.dovecot.org/SSL/DovecotConfiguration is >>> confusing and could be understood to mean that the current default is >>> one week. >>> To enable regeneration you can manually set: >>> ssl_parameters_regenerate = 60 days >>> or:ssl_parameters_regenerate = 1 weeks >> >> This is really cool and all, but for a low power proxy, it takes a good5>> minutes to regenerate the dh params, and Dovecot listens the entiretime.>> >> If the socket were closed during regeneration, then a (basic) front-end >> load balancer wouldn't still push connections to that proxy duringregen.>> >> Rick > > I wonder if what is taking 5 minutes is CPU usage or entropy starvation. > Might be worth looking into.I'd say CPU usage - I have two identical VMs for dovecot proxies, one is hosted on a dual Xeon 5450, the other a dual Opteron 2347HE.? Both hosts are under similar load, but the Xeon host was done within 30 seconds. I assume the Xeon, besides having a faster base CPU frequency, is just better for that sort of workload. I noticed a similar difference when generating params for the web servers, but I did that externally. I assume it'd probably be easier to do the dh_parameters config than to fully disable the socket during regen.. Rick