> On 19 August 2018 at 20:55 Aki Tuomi <aki.tu...@dovecot.fi> wrote: > > > > > On 19 August 2018 at 19:38 Kai Schaetzl <mailli...@conactive.com> wrote: > > > > > > Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300: > > > > > Just generate new parameters on some machine with good entropy source. > > > > So, if it fails to transform (although bigger) the machine hasn't enough > > entropy (because it's quite new?)? I'm generating now on the original > > machine from last year which is still going on while a second run on one > > of the machines where it failed to transform is already finished. So, that > > would indicate it has less entropy? > > Can I re-use the ssl-parameters.dat for several machines or should I > > create a new one for each? > > For the time being I just copied the dh.pem over, to get going, but I > > guess this should only be a temporary workaround? > > > > Thanks! > > > > Kai > > > > > > The transformation probably fails because your ssl-parameters.dat file is > somewhat different than what it usually is, so probably the offset should be > bigger than 88. You could try using skip=152 and see if it works. > > It is not strictly speaking mandatory to have per-installation dh parameters, > you can reuse the generated parameters within your site. > > Aki
Oh and for ssl_sh= you can just use the following command, you don't need to use ssl-parameters.dat file at all. openssl gendh 4096 > params.pem Aki