dovecot - Jun 2018 - upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol

On Fri, 22 Jun 2018, Aki Tuomi wrote:
>> Do I need to make a fresh dh.pem? The upgrade doc tells how to convert 
>> ssl-parameters.dat but how to make a new one?
>
> ... or you can make a fresh one using openssl
> gendh 4096 > dh.pem
This also works

 	openssl dhparam -out dh.pem 4096
> Note that this will require quite a lot of entropy, so you should
> probably ensure that you run it on a laptop or with virtual machine
> that has some entropy source/helper.
It can take an extraordinary amount of time for long keys.  Most of
the time/entropy is taken up to produce a "safe" prime (p) such that
(p-1)/2 is also prime to resist some factoring algorithms.

However, recent advances make this condition obsolete [*] and not
really safer, so a much faster way to generate a DH key is

 	openssl dhparam -dsaparam -out dh.pem 4096

DH generation is a one time operation, so if you're paranoid and you've
got time to burn, go ahead and generate the "safe" DH key.

[*] https://security.stackexchange.com/questions/42415/openvpn-dhparam)

Joseph Tam <jtam.home at gmail.com>

On Fri, 22 Jun 2018, Joseph Tam wrote:
> However, recent advances make this condition obsolete [*] and not
> really safer, so a much faster way to generate a DH key is
>
> 	openssl dhparam -dsaparam -out dh.pem 4096
>
> DH generation is a one time operation, so if you're paranoid and
you've
> got time to burn, go ahead and generate the "safe" DH key.
>
> [*] https://security.stackexchange.com/questions/42415/openvpn-dhparam)
Oh, I might have to backtrack on this claim

 	https://www.openssl.org/news/secadv/20160128.txt

although it's beyond my understanding whether it's applicable to
Dovecot.

Joseph Tam <jtam.home at gmail.com>

Thanks Joseph, Aki, but something missing from upgrade document, where  
does the dh param file go? I located ssl-parameters.dat so I will put  
it there.

Quoting Joseph Tam <jtam.home at gmail.com>:
> On Fri, 22 Jun 2018, Joseph Tam wrote:
>
>> However, recent advances make this condition obsolete [*] and not
>> really safer, so a much faster way to generate a DH key is
>>
>> 	openssl dhparam -dsaparam -out dh.pem 4096
>>
>> DH generation is a one time operation, so if you're paranoid and
you've
>> got time to burn, go ahead and generate the "safe" DH key.
>>
>> [*] https://security.stackexchange.com/questions/42415/openvpn-dhparam)
>
> Oh, I might have to backtrack on this claim
>
> 	https://www.openssl.org/news/secadv/20160128.txt
>
> although it's beyond my understanding whether it's applicable to
Dovecot.
>
> Joseph Tam <jtam.home at gmail.com>



-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!