Displaying 20 results from an estimated 300 matches similar to: "Wireshark LDAP capture vs Diffie-Hellman / pre-master secret - key log file"
2020 Sep 30
2
debugging TLS with wireshark and a custom application ?
Hi!
My question is: can dovecot be used to debug/decrypt TLS sessions ?
The reason I'm asking:
A custom application wants to speak IMAP with TLS with a dovecot
instance.
It fails, and the error message is, unfortunatly, not very helpful.
tcpdump shows that the session is established, but fails. The custom
application says error 60000, not much more.
There is a way to decode TLS sessions
2014 Oct 10
3
[Bug 2291] New: ssh -Q kex lists diffie-hellman-group1-sha1 twice
https://bugzilla.mindrot.org/show_bug.cgi?id=2291
Bug ID: 2291
Summary: ssh -Q kex lists diffie-hellman-group1-sha1 twice
Product: Portable OpenSSH
Version: 6.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: minor
Priority: P5
Component: sftp-server
Assignee:
2018 Jun 22
0
upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol
> On 22 June 2018 at 10:18 tai74 at vfemail.net wrote:
>
>
>
> hi sorry if question was asked already. Was reading
> https://wiki2.dovecot.org/Upgrading/2.3
>
> first I'm confused on diffie hellman parameters file. I never set up
> ssl-parameters.dat before (should i have? do I have one that was
> automatically made for me by dovecot?)
>
> Do I need
2018 Jun 22
0
upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol
On Fri, 22 Jun 2018, Joseph Tam wrote:
> However, recent advances make this condition obsolete [*] and not
> really safer, so a much faster way to generate a DH key is
>
> openssl dhparam -dsaparam -out dh.pem 4096
>
> DH generation is a one time operation, so if you're paranoid and you've
> got time to burn, go ahead and generate the "safe" DH key.
>
2018 Jun 25
1
upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol
Thanks Joseph, Aki, but something missing from upgrade document, where
does the dh param file go? I located ssl-parameters.dat so I will put
it there.
Quoting Joseph Tam <jtam.home at gmail.com>:
> On Fri, 22 Jun 2018, Joseph Tam wrote:
>
>> However, recent advances make this condition obsolete [*] and not
>> really safer, so a much faster way to generate a DH key is
2019 Feb 15
2
Can we disable diffie-hellman-group-exchange-sha1 by default?
That doesn't seem to be the case. See
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
(5.6.1 Comparable Algorithm Strengths)
On Fri, Feb 15, 2019 at 8:28 AM Darren Tucker <dtucker at dtucker.net> wrote:
>
> On Fri, 15 Feb 2019 at 16:00, Yegor Ievlev <koops1997 at gmail.com> wrote:
> > I don't think there is any point to generate so
2019 Feb 14
2
Can we disable diffie-hellman-group-exchange-sha1 by default?
Can we disable diffie-hellman-group14-sha1 too?
On Thu, Feb 14, 2019 at 10:23 PM Mark D. Baushke <mdb at juniper.net> wrote:
>
> Hi John,
>
> The short answer is YES.
>
> Jon DeVree <nuxi at vault24.org> writes:
>
> > I ask because the removal of diffie-hellman-group-exchange-sha1 happened
> > accidently in 7.8 due to a mistake in a change to
2018 Jun 22
2
upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol
On Fri, 22 Jun 2018, Aki Tuomi wrote:
>> Do I need to make a fresh dh.pem? The upgrade doc tells how to convert
>> ssl-parameters.dat but how to make a new one?
>
> ... or you can make a fresh one using openssl
> gendh 4096 > dh.pem
This also works
openssl dhparam -out dh.pem 4096
> Note that this will require quite a lot of entropy, so you should
> probably
2015 Jul 20
2
WinSCP 5.7.5 will support the RFC 4419 revision to Diffie-Hellman group exchange
Hello,
I'd like to inform you that the next release of WinSCP SFTP client (version 5.7.5) will support Diffie-Hellman group exchange as specified by RFC 4419.
http://winscp.net/tracker/show_bug.cgi?id=1345
So I'd like to ask you to kindly update the check in
compat_datafellows() to
WinSCP_release_4*
WinSCP_release_5.0*
WinSCP_release_5.1*
WinSCP_release_5.2*
WinSCP_release_5.5*
2019 Feb 14
2
Can we disable diffie-hellman-group-exchange-sha1 by default?
I ask because the removal of diffie-hellman-group-exchange-sha1 happened
accidently in 7.8 due to a mistake in a change to readconf.c. I noticed
this and filed a bug about it along with a patch to fix readconf.c to use
KEX_CLIENT_* like it used to:
https://github.com/openssh/openssh-portable/commit/1b9dd4aa
https://bugzilla.mindrot.org/show_bug.cgi?id=2967
Its clear the removal was unintentional
2017 Mar 20
1
Deploying Diffie-Hellman for TLS
I have been reading up on TLS and Dovecot and came across this URL:
https://www.weakdh.org/sysadmin.html which recommended these settings
for Dovecot. I would like to know if they are correct? Some much
documentation on the web is pure garbage.
Dovecot
These changes should be made in /etc/dovecot.conf
Cipher Suites
2018 Jun 22
2
upgrade 2.2 to 2.3, diffie-hellman, ssl_min_protocol
hi sorry if question was asked already. Was reading
https://wiki2.dovecot.org/Upgrading/2.3
first I'm confused on diffie hellman parameters file. I never set up
ssl-parameters.dat before (should i have? do I have one that was
automatically made for me by dovecot?)
Do I need to make a fresh dh.pem? The upgrade doc tells how to convert
ssl-parameters.dat but how to make a new one?
other
2019 Jan 19
3
Can we disable diffie-hellman-group14-sha1 by default?
e.g. can we make it throw warnings etc. rsa-sha2-256 and rsa-sha2-512
are fine, they use PSS.
On Sun, Jan 20, 2019 at 1:55 AM Yegor Ievlev <koops1997 at gmail.com> wrote:
>
> Also can we do anything with ssh-rsa? It uses both SHA-1 and
> deprecated PKCS#1 padding. If it's used to sign certificates, there's
> no additional protection of SHA-2 hashing before SHA-1
2019 Feb 15
3
Can we disable diffie-hellman-group-exchange-sha1 by default?
I don't think there is any point to generate so many moduli. Actually,
3 moduli of sizes 2048, 3072 and 4096 seem like a sane choice.
On Fri, Feb 15, 2019 at 7:58 AM Darren Tucker <dtucker at dtucker.net> wrote:
>
> On Fri, 15 Feb 2019 at 14:22, Yegor Ievlev <koops1997 at gmail.com> wrote:
> > I'm not nearly knowledgeable enough in crypto to fully understand your
2019 Feb 15
2
Can we disable diffie-hellman-group-exchange-sha1 by default?
I referred to the fact that there is no value for 4096-bit groups at
all. For higher strengths than 128 bits one should probably not use
non-EC crypto at all, as the document suggests.
On Fri, Feb 15, 2019 at 9:19 AM Darren Tucker <dtucker at dtucker.net> wrote:
>
> On Fri, 15 Feb 2019 at 16:45, Yegor Ievlev <koops1997 at gmail.com> wrote:
> > That doesn't seem to be
2019 Jan 19
4
Can we disable diffie-hellman-group14-sha1 by default?
I'm not sure if collision resistance is required for DH key
derivation, but generally, SHA-1 is on its way out. If it's possible
(if there's not a very large percentage of servers that do not support
anything newer), it should be disabled.
2013 Sep 24
3
2048-bit Diffie-Hellman parameters
Currently, dovecot generates two primes for Diffie-Hellman key
exchanges: a 512-bit one and a 1024-bit one. In light of recent
events, I think it would be wise to add support for 2048-bit primes as
well, or even better, add a configuration option that lets the user
select a file (or files) containing the DH parameters
In recent years, there has been increased interest in DH especially in
its
2019 Feb 15
2
Can we disable diffie-hellman-group-exchange-sha1 by default?
On Fri, 2019-02-15 at 15:57 +1100, Darren Tucker wrote:
> That was the original intent (and it's mentioned in RFC4419) however
> each moduli file we ship (70-80 instances of 6 sizes) takes about 1
> cpu-month to generate on a lowish-power x86-64 machine. Most of it
> is
> parallelizable, but even then it'd likely take a few hours to
> generate
> one of each size. I
2007 Sep 21
4
Diffie Hellman key exchange algorithms
A few questions regarding the OpenSSH support for the Diffie Hellman key exchange algorithms:
(1) Are the diffie-hellman-group-exchange-sha256",
"diffie-hellman-group-exchange-sha1"
, "diffie-hellman-group14-sha1" "diffie-hellman-group1-sha1" (as
defined in RFCs 4253 and RFC 4419) the complete list of key exchange
algorithms supported by OpenSSH?
(2) Is there a
2019 Feb 15
4
Can we disable diffie-hellman-group-exchange-sha1 by default?
I'm not nearly knowledgeable enough in crypto to fully understand your
answer, but I will try. I wonder why moduli are not automatically
generated the first time sshd is started though. That would make much
more sense than shipping a default moduli file but also asking
everyone to replace it with their own.
On Fri, Feb 15, 2019 at 5:50 AM Mark D. Baushke <mdb at juniper.net> wrote:
>