[stunnel-users] Temporary DH params in stunnel

Guillermo Rodriguez Garcia guille.rodriguez at gmail.com
Tue May 10 16:52:49 CEST 2016


Hi all,

The stunnel docs say that starting with stunnel 5.18, DH params are
auto-generated every 24 hours and that this "may take several
minutes".

I see that for this purpose, stunnel uses OpenSSL's
DH_generate_parameters[_ex] function. According to the OpenSSL API
docs [1], these functions "may run for several hours before finding a
suitable prime."

 [1]: https://www.openssl.org/docs/manmaster/crypto/DH_generate_parameters.html

Wouldn't it make sense to use "DSA-like" DH params for this purpose?
These are much faster to generate and apparently equally safe.

DSA-like DH params are generated using DSA_generate_parameters[ex]. It
is the equivalent of passing the -dsaparam option to the openssl
dhparam command.

Some useful info:
 - http://security.stackexchange.com/a/95184/109144
 - http://dovecot.org/pipermail/dovecot/2015-November/102447.html

Best regards,

Guillermo Rodriguez Garcia
guille.rodriguez at gmail.com



More information about the stunnel-users mailing list