search for: dhparam

> On 19 August 2018 at 20:55 Aki Tuomi <aki.tuomi at dovecot.fi> wrote: > > > > > On 19 August 2018 at 19:38 Kai Schaetzl <maillists at conactive.com> wrote: > > > > > > Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300: > > > > > Just generate new parameters on some machine with good entropy source. > > > > So, if

I did that the last time one year ago, now on another machine with the same software (Ubuntu 16.04) it fails. openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem last command fails with 681+0 records in 681+0 records out 681 bytes copied, 0,00278343 s, 245 kB/s unable to load DH parameters 139858178938...

On Fri, 22 Jun 2018, Aki Tuomi wrote: >> Do I need to make a fresh dh.pem? The upgrade doc tells how to convert >> ssl-parameters.dat but how to make a new one? > > ... or you can make a fresh one using openssl > gendh 4096 > dh.pem This also works openssl dhparam -out dh.pem 4096 > Note that this will require quite a lot of entropy, so you should > probably ensure that you run it on a laptop or with virtual machine > that has some entropy source/helper. It can take an extraordinary amount of time for long keys. Most of the time/entropy is taken...

Aki Tuomi wrote on Sun, 19 Aug 2018 20:56:28 +0300 (EEST): > openssl gendh 4096 > params.pem Ok. I then misunderstood what's written at https://wiki.dovecot.org/SSL/DovecotConfiguration I thought I need to create dh.pem in two steps: 1. openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat 2. dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem That's what I did on the first installation. ssl-parameters.dat already existed and I just used the second command to transform it. N...

...arameters can exceed your patience. Regeneration may not be a problem (if ssl_parameters_regenerate=0 or if Dovecot uses old parameters until regeneration finishes), but for cold starts, the server can be tied up for a few minutes creating DH parameters while clients queue up. I ran "openssl dhparam 2048" and got wildly varying run times of 1m45s, 11m56s, 0.4s, 2m19s, 3h23s. Most of the time was spent testing primality of candidate p *and* (p-1)/2 -- so called "safe prime". If you're unlucky, this can take a long time. However, it appears "safe" primes are not w...

.... I have tried deleting all of /usr/src and re cvsuped, but the problem persists. FreeBSD 4.7-STABLE #0: Fri Feb 14 13:49:58 EST 2003 ===> secure/usr.bin/openssl rm -f buildinf.h openssl/opensslconf.h openssl/evp.h xopenssl app_rand.o apps.o asn1pars.o ca.o ciphers.o crl.o crl2p7.o dgst.o dh.o dhparam.o dsa.o dsaparam.o enc.o engine.o errstr.o gendh.o gendsa.o genrsa.o nseq.o ocsp.o openssl.o passwd.o pkcs12.o pkcs7.o pkcs8.o rand.o req.o rsa.o rsautl.o s_cb.o s_client.o s_server.o s_socket.o s_time.o sess_id.o smime.o speed.o spkac.o verify.o version.o x509.o CA.pl.1.gz asn1parse.1.gz ca.1.gz c...

...eter tls certfile = /var/lib/samba/private/tls/dc-cert.pem doing parameter tls keyfile = /var/lib/samba/private/tls/secure/dc-privkey.pem doing parameter tls cafile = /var/lib/samba/private/tls/cacert.pem doing parameter tls crlfile = /var/lib/samba/private/tls/mtz.desoft.cu.crl doing parameter tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem doing parameter ntlm auth = yes doing parameter winbind max clients = 10000 doing parameter min protocol = SMB2 pm_process() returned Yes added interface eth1 ip=fd2d:bba0:d4f9:4fb9:98fe:2ff:fe6b:adcb bcast= netmask=ffff:ffff:ffff:ffff:: added inte...

...t so I will put it there. Quoting Joseph Tam <jtam.home at gmail.com>: > On Fri, 22 Jun 2018, Joseph Tam wrote: > >> However, recent advances make this condition obsolete [*] and not >> really safer, so a much faster way to generate a DH key is >> >> openssl dhparam -dsaparam -out dh.pem 4096 >> >> DH generation is a one time operation, so if you're paranoid and you've >> got time to burn, go ahead and generate the "safe" DH key. >> >> [*] https://security.stackexchange.com/questions/42415/openvpn-dhparam) > &...

...e? I tried for a week with various combinations but nothing worked short of disabling SSL altogether. These are the remnants of some attempts... # 20200531 suggested by Aki Tuomi #ssl_min_protocol = TLSv1.0 #ssl_ciphers = ALL:!LOW:!SSLv2:!EXP:!aNULL # https://ssl-config.mozilla.org OLD # openssl dhparam -dsaparam 1024 > /etc/dovecot/dh.pem ssl_prefer_server_ciphers = yes #ssl_min_protocol = TLSv1 #ssl_cipher_list = ECDHE-ECDSA**** # https://ssl-config.mozilla.org MEDIUM # openssl dhparam -dsaparam 2048 > /etc/dovecot/dh.pem #ssl_prefer_server_ciphers = no #ssl_min_protocol = TLSv1.2 #ssl_ci...

...[...] rm -f telnet authenc.o commands.o main.o network.o ring.o sys_bsd.o telnet.o terminal.o utilities.o telnet.1.gz telnet.1.cat.gz ===> secure/usr.bin/openssl rm -f buildinf.h openssl/opensslconf.h openssl/evp.h xopenssl app_rand.o apps.o asn1pars.o ca.o ciphers.o crl.o crl2p7.o dgst.o dh.o dhparam.o dsa.o dsaparam.o enc.o engine.o errstr.o gendh.o gendsa.o genrsa.o nseq.o ocsp.o openssl.o passwd.o pkcs12.o pkcs7.o pkcs8.o rand.o req.o rsa.o rsautl.o s_cb.o s_client.o s_server.o s_socket.o s_time.o sess_id.o smime.o speed.o spkac.o verify.o version.o x509.o CA.pl.1.gz asn1parse.1.gz ca.1.gz c...

hi sorry if question was asked already. Was reading https://wiki2.dovecot.org/Upgrading/2.3 first I'm confused on diffie hellman parameters file. I never set up ssl-parameters.dat before (should i have? do I have one that was automatically made for me by dovecot?) Do I need to make a fresh dh.pem? The upgrade doc tells how to convert ssl-parameters.dat but how to make a new one? other

Am 04.07.2015 um 15:34 schrieb Gregory P. Ennis <PoMec at PoMec.Net>: > On Sat, 2015-07-04 at 08:07 -0500, Gregory P. Ennis wrote: >> Everyone, >> >> Looks like the new version of oppenssl has broken my sendmail's use >> of >> tls. Has anyone else had this problem or seen a fix? >> >> Greg Ennis >>

...phemeral ECDH (ECDHE) is enabled by default. To disable it, do not specify a ECDHE cipher suite in sip.conf, for example: dtlscipher=AES128-SHA - Ephemeral DH (DHE) is disabled by default. To enable it, add DH parameters into the private key file, e.g., sip.conf dtlsprivatekey. For example: openssl dhparam -out ./dh.pem 2048 - Because clients expect the server to prefer PFS, and because OpenSSL sorts its cipher suites by bit strength, see "openssl ciphers -v DEFAULT". Consider re-ordering your cipher suites in the respective configuration file. For example: dtlscipher=ECDHE-ECDSA-AES128-GC...

On Fri, 22 Jun 2018, Joseph Tam wrote: > However, recent advances make this condition obsolete [*] and not > really safer, so a much faster way to generate a DH key is > > openssl dhparam -dsaparam -out dh.pem 4096 > > DH generation is a one time operation, so if you're paranoid and you've > got time to burn, go ahead and generate the "safe" DH key. > > [*] https://security.stackexchange.com/questions/42415/openvpn-dhparam) Oh, I might have to backt...

Hi, I couldn't really find documentation about ssl_dh_parameters_length except for mention in passing on the page https://wiki2.dovecot.org/SSL/DovecotConfiguration For version 2.3 and above is that setting necessary? If so what are the values I can use, is setting it high like 4096 beneficial or make any problems for clients? Thanks for assistance.

On Tue Jul 07 2020 02:07:08 GMT-0400 (Eastern Standard Time), Mark Constable <markc at renta.net> wrote: > FWIW I meant if the client is Windows7/old-Outlook then changing either > 993/SSL or 143/STARTTLS to 143/NONE could help pick up the mail. We had > to do this for a 100 or so clients a few months ago after upgrading to > Ubuntu 20.04. Really, really bad idea. You just

...ertfile = /var/lib/samba/private/tls/dc-cert.pem > > tls keyfile = > /var/lib/samba/private/tls/secure/dc-privkey.pem > > tls cafile = /var/lib/samba/private/tls/cacert.pem > > tls crlfile = /var/lib/samba/private/tls/mtz.desoft.cu.crl > > tls dhparams file = /var/lib/samba/private/tls/dc-dhparams.pem > > > > You could try recreating the cert files. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >

...e/tls/dc0-cert.pem tls keyfile = /var/lib/samba/private/tls/secure/dc0-privkey.pem tls cafile = /var/lib/samba/private/tls/cacert.pem tls cafile = /var/lib/samba/private/tls/interca.pem tls crlfile = /var/lib/samba/private/tls/rootca.crl tls crlfile = /var/lib/samba/private/tls/interca.crl tls dhparams file = /var/lib/samba/private/tls/dc0-dhparams.pem [sysvol] path = /var/lib/samba/sysvol read only = No [netlogon] path = /var/lib/samba/sysvol/test.example.de/scripts read only = No | Is that an Kerberos related Issue or Samba 4? Regards|| |||| || || ||

...2 master: Info: Dovecot v2.3.4.1 (3c0b8769e) starting up for pop3, imap, sieve (core dumps disabled) Mar 03 11:30:09 config: Warning: please set ssl_dh=</etc/dovecot/dh.pem Mar 03 11:30:09 config: Warning: You can generate it with: dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem Mar 03 11:30:12 auth-worker(32307): Warning: sqlpool(mysql): Query failed, retrying: Unknown column 'mailbox.enableimaptls' in 'where clause' Mar 03 11:30:12 auth-worker(32307): Error: sql(voytek at sbt.net.au,110.175.246.167,<jZs3viWDz7xur/an...

...ist, I note that the run time to generate these keys can vary wildly, and gets worse with longer keys. Sometimes you get lucky, and you'll generate then quickly, sometimes it takes a long while (minutes). http://dovecot.org/pipermail/dovecot/2015-November/102447.html Try running openssl dhparam -noout 2048 to see how it varies for you. If what I suspect is true, you can try using shorter keys. A followup post suggest a way you can precompute the key Joseph Tam <jtam.home at gmail.com>