I did that the last time one year ago, now on another machine with the same software (Ubuntu 16.04) it fails. openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem last command fails with 681+0 records in 681+0 records out 681 bytes copied, 0,00278343 s, 245 kB/s unable to load DH parameters 139858178938624:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1129: 139858178938624:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:289:Type=DH ssl-parameters.dat is more than double the size as the one that worked. And that one I can still transform: 272+0 records in 272+0 records out 272 bytes copied, 0,00105017 s, 259 kB/s So, something with openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat must be wrong. But what? https://wiki.dovecot.org/SSL/DovecotConfiguration tells to use this command. Thanks! Kai
Just generate new parameters on some machine with good entropy source. ---Aki TuomiDovecot oy -------- Original message --------From: Kai Schaetzl <maillists at conactive.com> Date: 19/08/2018 18:08 (GMT+02:00) To: dovecot at dovecot.org Subject: creation of ssl-parameters fails I did that the last time one year ago, now on another machine with the same software (Ubuntu 16.04) it fails. openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem last command fails with 681+0 records in 681+0 records out 681 bytes copied, 0,00278343 s, 245 kB/s unable to load DH parameters 139858178938624:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1129: 139858178938624:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:289:Type=DH ssl-parameters.dat is more than double the size as the one that worked. And that one I can still transform: 272+0 records in 272+0 records out 272 bytes copied, 0,00105017 s, 259 kB/s So, something with openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat must be wrong. But what? https://wiki.dovecot.org/SSL/DovecotConfiguration tells to use this command. Thanks! Kai -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://dovecot.org/pipermail/dovecot/attachments/20180819/c40ceb46/attachment.html>
Am 19.08.2018 um 17:08 schrieb Kai Schaetzl:> I did that the last time one year ago, now on another machine with the > same software (Ubuntu 16.04) it fails. > > openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat > dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam > -inform der > /etc/dovecot/dh.pem > last command fails with > > 681+0 records in > 681+0 records out > 681 bytes copied, 0,00278343 s, 245 kB/s > unable to load DH parameters > 139858178938624:error:0D0680A8:asn1 encoding > routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1129: > 139858178938624:error:0D07803A:asn1 encoding > routines:asn1_item_embed_d2i:nested asn1 > error:../crypto/asn1/tasn_dec.c:289:Type=DH > > ssl-parameters.dat is more than double the size as the one that worked. > And that one I can still transform: > > 272+0 records in > 272+0 records out > 272 bytes copied, 0,00105017 s, 259 kB/s > > So, something with > openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat > must be wrong. But what? > https://wiki.dovecot.org/SSL/DovecotConfiguration > tells to use this command. > > Thanks! > > KaiThe DH file you run your command against is not DER formatted. Mine is in PEM format and contains -----BEGIN DH PARAMETERS----- ... -----END DH PARAMETERS----- Alexander
Reasonably Related Threads
- FreeBSD Security Advisory FreeBSD-SA-06:23.openssl
- FreeBSD Security Advisory FreeBSD-SA-06:23.openssl
- FreeBSD Security Advisory FreeBSD-SA-06:23.openssl [REVISED]
- FreeBSD Security Advisory FreeBSD-SA-06:23.openssl [REVISED]
- FreeBSD Security Advisory FreeBSD-SA-03:18.openssl