Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300:> Just generate new parameters on some machine with good entropy source.So, if it fails to transform (although bigger) the machine hasn't enough entropy (because it's quite new?)? I'm generating now on the original machine from last year which is still going on while a second run on one of the machines where it failed to transform is already finished. So, that would indicate it has less entropy? Can I re-use the ssl-parameters.dat for several machines or should I create a new one for each? For the time being I just copied the dh.pem over, to get going, but I guess this should only be a temporary workaround? Thanks! Kai
Well, on that machine it took now more than an hour. But it created the same 769 bytes file as on the other machines. And, foreseeable, that one fails to transform as well. -rw-r--r-- 1 root root 360 Aug 7 2017 ssl-parameters.dat -rw-r--r-- 1 root root 769 Aug 19 19:25 ssl-parameters.new.dat I cannot remember how I created the first one, I don't seem to have a record about that. Google says that dovecot would create the ssl- parameters.dat file by itself on first startup. Does or did it do that? If so, then it uses a different creation process. On that machine I had the default dovecot installed and running before going to 2.3. On the new machines I jumped right to 2.3 without ever running 2.2. Maybe 2.3 is not creating this file? Kai
> On 19 August 2018 at 19:38 Kai Schaetzl <maillists at conactive.com> wrote: > > > Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300: > > > Just generate new parameters on some machine with good entropy source. > > So, if it fails to transform (although bigger) the machine hasn't enough > entropy (because it's quite new?)? I'm generating now on the original > machine from last year which is still going on while a second run on one > of the machines where it failed to transform is already finished. So, that > would indicate it has less entropy? > Can I re-use the ssl-parameters.dat for several machines or should I > create a new one for each? > For the time being I just copied the dh.pem over, to get going, but I > guess this should only be a temporary workaround? > > Thanks! > > Kai > >The transformation probably fails because your ssl-parameters.dat file is somewhat different than what it usually is, so probably the offset should be bigger than 88. You could try using skip=152 and see if it works. It is not strictly speaking mandatory to have per-installation dh parameters, you can reuse the generated parameters within your site. Aki
> On 19 August 2018 at 20:55 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > > > On 19 August 2018 at 19:38 Kai Schaetzl <maillists at conactive.com> wrote: > > > > > > Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300: > > > > > Just generate new parameters on some machine with good entropy source. > > > > So, if it fails to transform (although bigger) the machine hasn't enough > > entropy (because it's quite new?)? I'm generating now on the original > > machine from last year which is still going on while a second run on one > > of the machines where it failed to transform is already finished. So, that > > would indicate it has less entropy? > > Can I re-use the ssl-parameters.dat for several machines or should I > > create a new one for each? > > For the time being I just copied the dh.pem over, to get going, but I > > guess this should only be a temporary workaround? > > > > Thanks! > > > > Kai > > > > > > The transformation probably fails because your ssl-parameters.dat file is somewhat different than what it usually is, so probably the offset should be bigger than 88. You could try using skip=152 and see if it works. > > It is not strictly speaking mandatory to have per-installation dh parameters, you can reuse the generated parameters within your site. > > AkiOh and for ssl_sh= you can just use the following command, you don't need to use ssl-parameters.dat file at all. openssl gendh 4096 > params.pem Aki