[stunnel-users] Temporary DH params in stunnel
Guillermo Rodriguez Garcia
guille.rodriguez at gmail.com
Tue May 10 16:52:49 CEST 2016
Hi all,
The stunnel docs say that starting with stunnel 5.18, DH params are
auto-generated every 24 hours and that this "may take several
minutes".
I see that for this purpose, stunnel uses OpenSSL's
DH_generate_parameters[_ex] function. According to the OpenSSL API
docs [1], these functions "may run for several hours before finding a
suitable prime."
[1]: https://www.openssl.org/docs/manmaster/crypto/DH_generate_parameters.html
Wouldn't it make sense to use "DSA-like" DH params for this purpose?
These are much faster to generate and apparently equally safe.
DSA-like DH params are generated using DSA_generate_parameters[ex]. It
is the equivalent of passing the -dsaparam option to the openssl
dhparam command.
Some useful info:
- http://security.stackexchange.com/a/95184/109144
- http://dovecot.org/pipermail/dovecot/2015-November/102447.html
Best regards,
Guillermo Rodriguez Garcia
guille.rodriguez at gmail.com
More information about the stunnel-users
mailing list