Hi all,
The stunnel docs say that starting with stunnel 5.18, DH params are auto-generated every 24 hours and that this "may take several minutes".
I see that for this purpose, stunnel uses OpenSSL's DH_generate_parameters[_ex] function. According to the OpenSSL API docs [1], these functions "may run for several hours before finding a suitable prime."
[1]: https://www.openssl.org/docs/manmaster/crypto/DH_generate_parameters.html
Wouldn't it make sense to use "DSA-like" DH params for this purpose? These are much faster to generate and apparently equally safe.
DSA-like DH params are generated using DSA_generate_parameters[ex]. It is the equivalent of passing the -dsaparam option to the openssl dhparam command.
Some useful info: - http://security.stackexchange.com/a/95184/109144 - http://dovecot.org/pipermail/dovecot/2015-November/102447.html
Best regards,
Guillermo Rodriguez Garcia guille.rodriguez@gmail.com