Displaying 20 results from an estimated 4000 matches similar to: "upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol"
2018 Jun 25
1
upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol
Thanks Joseph, Aki, but something missing from upgrade document, where
does the dh param file go? I located ssl-parameters.dat so I will put
it there.
Quoting Joseph Tam <jtam.home at gmail.com>:
> On Fri, 22 Jun 2018, Joseph Tam wrote:
>
>> However, recent advances make this condition obsolete [*] and not
>> really safer, so a much faster way to generate a DH key is
2018 Jun 22
2
upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol
On Fri, 22 Jun 2018, Aki Tuomi wrote:
>> Do I need to make a fresh dh.pem? The upgrade doc tells how to convert
>> ssl-parameters.dat but how to make a new one?
>
> ... or you can make a fresh one using openssl
> gendh 4096 > dh.pem
This also works
openssl dhparam -out dh.pem 4096
> Note that this will require quite a lot of entropy, so you should
> probably
2018 Jun 22
0
upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol
> On 22 June 2018 at 10:18 tai74 at vfemail.net wrote:
>
>
>
> hi sorry if question was asked already. Was reading
> https://wiki2.dovecot.org/Upgrading/2.3
>
> first I'm confused on diffie hellman parameters file. I never set up
> ssl-parameters.dat before (should i have? do I have one that was
> automatically made for me by dovecot?)
>
> Do I need
2018 Jun 22
0
upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol
On Fri, 22 Jun 2018, Joseph Tam wrote:
> However, recent advances make this condition obsolete [*] and not
> really safer, so a much faster way to generate a DH key is
>
> openssl dhparam -dsaparam -out dh.pem 4096
>
> DH generation is a one time operation, so if you're paranoid and you've
> got time to burn, go ahead and generate the "safe" DH key.
>
2018 Aug 19
2
creation of ssl-parameters fails
> On 19 August 2018 at 20:55 Aki Tuomi <aki.tuomi at dovecot.fi> wrote:
>
>
>
> > On 19 August 2018 at 19:38 Kai Schaetzl <maillists at conactive.com> wrote:
> >
> >
> > Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300:
> >
> > > Just generate new parameters on some machine with good entropy source.
> >
> > So, if
2007 Sep 21
4
Diffie Hellman key exchange algorithms
A few questions regarding the OpenSSH support for the Diffie Hellman key exchange algorithms:
(1) Are the diffie-hellman-group-exchange-sha256",
"diffie-hellman-group-exchange-sha1"
, "diffie-hellman-group14-sha1" "diffie-hellman-group1-sha1" (as
defined in RFCs 4253 and RFC 4419) the complete list of key exchange
algorithms supported by OpenSSH?
(2) Is there a
2019 Jan 19
4
Can we disable diffie-hellman-group14-sha1 by default?
I'm not sure if collision resistance is required for DH key
derivation, but generally, SHA-1 is on its way out. If it's possible
(if there's not a very large percentage of servers that do not support
anything newer), it should be disabled.
2019 Feb 15
2
Can we disable diffie-hellman-group-exchange-sha1 by default?
That doesn't seem to be the case. See
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
(5.6.1 Comparable Algorithm Strengths)
On Fri, Feb 15, 2019 at 8:28 AM Darren Tucker <dtucker at dtucker.net> wrote:
>
> On Fri, 15 Feb 2019 at 16:00, Yegor Ievlev <koops1997 at gmail.com> wrote:
> > I don't think there is any point to generate so
2019 Jan 19
3
Can we disable diffie-hellman-group14-sha1 by default?
e.g. can we make it throw warnings etc. rsa-sha2-256 and rsa-sha2-512
are fine, they use PSS.
On Sun, Jan 20, 2019 at 1:55 AM Yegor Ievlev <koops1997 at gmail.com> wrote:
>
> Also can we do anything with ssh-rsa? It uses both SHA-1 and
> deprecated PKCS#1 padding. If it's used to sign certificates, there's
> no additional protection of SHA-2 hashing before SHA-1
New install - getting error: "Failed to initialize SSL server context: Couldn't parse DH parameters"
2018 Nov 13
3
New install - getting error: "Failed to initialize SSL server context: Couldn't parse DH parameters"
I?m setting up Dovecot using Homebrew on a new server and am getting this when I try to login via IMAP:
Nov 13 14:13:35 auth: Debug: auth client connected (pid=30719)
Nov 13 14:13:35 imap-login: Info: Aborted login (no auth attempts in 0 secs): user=<>, rip=::1, lip=::1, secured, session=<gM0HNIN6HtoAAAAAAAAAAAAAAAAAAAAB>
Nov 13 14:18:33 auth: Debug: Loading modules from directory:
2013 Sep 24
3
2048-bit Diffie-Hellman parameters
Currently, dovecot generates two primes for Diffie-Hellman key
exchanges: a 512-bit one and a 1024-bit one. In light of recent
events, I think it would be wise to add support for 2048-bit primes as
well, or even better, add a configuration option that lets the user
select a file (or files) containing the DH parameters
In recent years, there has been increased interest in DH especially in
its
2017 Mar 20
1
Deploying Diffie-Hellman for TLS
I have been reading up on TLS and Dovecot and came across this URL:
https://www.weakdh.org/sysadmin.html which recommended these settings
for Dovecot. I would like to know if they are correct? Some much
documentation on the web is pure garbage.
Dovecot
These changes should be made in /etc/dovecot.conf
Cipher Suites
2019 Feb 15
2
Can we disable diffie-hellman-group-exchange-sha1 by default?
I referred to the fact that there is no value for 4096-bit groups at
all. For higher strengths than 128 bits one should probably not use
non-EC crypto at all, as the document suggests.
On Fri, Feb 15, 2019 at 9:19 AM Darren Tucker <dtucker at dtucker.net> wrote:
>
> On Fri, 15 Feb 2019 at 16:45, Yegor Ievlev <koops1997 at gmail.com> wrote:
> > That doesn't seem to be
2015 Dec 11
16
[Bug 2515] New: Implement diffie-hellman-group{14,15,16)-sha256
https://bugzilla.mindrot.org/show_bug.cgi?id=2515
Bug ID: 2515
Summary: Implement diffie-hellman-group{14,15,16)-sha256
Product: Portable OpenSSH
Version: -current
Hardware: All
OS: All
Status: ASSIGNED
Severity: enhancement
Priority: P3
Component: ssh
Assignee: dtucker at
2019 Feb 15
2
Can we disable diffie-hellman-group-exchange-sha1 by default?
On Fri, 2019-02-15 at 15:57 +1100, Darren Tucker wrote:
> That was the original intent (and it's mentioned in RFC4419) however
> each moduli file we ship (70-80 instances of 6 sizes) takes about 1
> cpu-month to generate on a lowish-power x86-64 machine. Most of it
> is
> parallelizable, but even then it'd likely take a few hours to
> generate
> one of each size. I
2019 Feb 14
2
Can we disable diffie-hellman-group-exchange-sha1 by default?
Can we disable diffie-hellman-group14-sha1 too?
On Thu, Feb 14, 2019 at 10:23 PM Mark D. Baushke <mdb at juniper.net> wrote:
>
> Hi John,
>
> The short answer is YES.
>
> Jon DeVree <nuxi at vault24.org> writes:
>
> > I ask because the removal of diffie-hellman-group-exchange-sha1 happened
> > accidently in 7.8 due to a mistake in a change to
2014 Oct 10
3
[Bug 2291] New: ssh -Q kex lists diffie-hellman-group1-sha1 twice
https://bugzilla.mindrot.org/show_bug.cgi?id=2291
Bug ID: 2291
Summary: ssh -Q kex lists diffie-hellman-group1-sha1 twice
Product: Portable OpenSSH
Version: 6.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: sftp-server
Assignee:
2019 Feb 14
2
Can we disable diffie-hellman-group-exchange-sha1 by default?
I ask because the removal of diffie-hellman-group-exchange-sha1 happened
accidently in 7.8 due to a mistake in a change to readconf.c. I noticed
this and filed a bug about it along with a patch to fix readconf.c to use
KEX_CLIENT_* like it used to:
https://github.com/openssh/openssh-portable/commit/1b9dd4aa
https://bugzilla.mindrot.org/show_bug.cgi?id=2967
Its clear the removal was unintentional
2020 Sep 07
0
Wireshark LDAP capture vs Diffie-Hellman / pre-master secret - key log file
Hi,
I am trying to debug a new (to me) printer, that should be able to use
AD (for LDAP / address book lookups as well as authentication).
It's been a while since I needed to dump traffic with wireshark; and
evidently it's got harder since I last tried :)
I have generated a wireshark dump on my DC, to see what the printer is
trying to do, using:
dc1$ sudo tcpdump host myprinter and port
2015 Jul 20
2
WinSCP 5.7.5 will support the RFC 4419 revision to Diffie-Hellman group exchange
Hello,
I'd like to inform you that the next release of WinSCP SFTP client (version 5.7.5) will support Diffie-Hellman group exchange as specified by RFC 4419.
http://winscp.net/tracker/show_bug.cgi?id=1345
So I'd like to ask you to kindly update the check in
compat_datafellows() to
WinSCP_release_4*
WinSCP_release_5.0*
WinSCP_release_5.1*
WinSCP_release_5.2*
WinSCP_release_5.5*