[gnutls-help] --bits should not arbitrarily prohibit me from creating small dh params
Micah Anderson
micah at riseup.net
Fri Sep 27 02:56:58 CEST 2013
Hello,
I would prefer to use certtool over openssl in order to generate the DH
parameter files that I need for my postfix MTA installations,
unfortunately it seems as if certtool is not letting me create smaller
bit sizes.
Postfix currently accepts two possible settings:
http://www.postfix.org/postconf.5.html#smtpd_tls_dh512_param_file
http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file
it seems I cannot generate the dh512 param file with certtool:
$ certtool --generate-dh-params --bits=512 --outfile=/tmp/dh_512.pem
** Note: Please use the --sec-param instead of --bits
Error generating parameters: The request is invalid.
I believe that this is a too small bit size, but in a MTA world, I need
to be able to gracefully accept smaller bit sizes if a client only can
do those. If I do not configure the 512bit file, that means is if
someone connects to my MTA who is only offering 512bits of DH, then I
would refuse to talk to them and we'd just do it in the clear... that is
not a good situation. Postfix will use the better parameters when peers
can accept them, but I need to still be able to work with peers that
cannot accept the reasonable parameters.
I understand the goal of pushing people to use the --sec-param option to
automatically make some crypto decisions for people, so they don't need
to worry about them, but I would prefer that you do not disable the
--bits functionality when the bits are considered too low and let me
decide that.
thanks!
micah
More information about the Gnutls-help
mailing list