Hi all,

The stunnel docs say that starting with stunnel 5.18, DH params are auto-generated every 24 hours and that this "may take several minutes".

I see that for this purpose, stunnel uses OpenSSL's DH_generate_parameters[_ex] function. According to the OpenSSL API docs [1], these functions "may run for several hours before finding a suitable prime."

[1]: https://www.openssl.org/docs/manmaster/crypto/DH_generate_parameters.html

Wouldn't it make sense to use "DSA-like" DH params for this purpose? These are much faster to generate and apparently equally safe.

DSA-like DH params are generated using DSA_generate_parameters[ex]. It is the equivalent of passing the -dsaparam option to the openssl dhparam command.

Some useful info: - http://security.stackexchange.com/a/95184/109144 - http://dovecot.org/pipermail/dovecot/2015-November/102447.html

Best regards,

Guillermo Rodriguez Garcia guille.rodriguez@gmail.com