Hi all, The stunnel docs say that starting with stunnel 5.18, DH params are auto-generated every 24 hours and that this "may take several minutes". I see that for this purpose, stunnel uses OpenSSL's DH_generate_parameters[_ex] function. According to the OpenSSL API docs [1], these functions "may run for several hours before finding a suitable prime." [1]: https://www.openssl.org/docs/manmaster/crypto/DH_generate_parameters.html Wouldn't it make sense to use "DSA-like" DH params for this purpose? These are much faster to generate and apparently equally safe. DSA-like DH params are generated using DSA_generate_parameters[ex]. It is the equivalent of passing the -dsaparam option to the openssl dhparam command. Some useful info: - http://security.stackexchange.com/a/95184/109144 - http://dovecot.org/pipermail/dovecot/2015-November/102447.html Best regards, Guillermo Rodriguez Garcia guille.rodriguez@gmail.com