Re: creation of ssl-parameters fails
On 20.08.2018 14:32, Kai Schaetzl wrote: > Aki Tuomi wrote on Sun, 19 Aug 2018 20:56:28 +0300 (EEST): > >> openssl gendh 4096 > params.pem > Ok. I then misunderstood what's written at > https://wiki.dovecot.org/SSL/DovecotConfiguration > > I thought I need to create dh.pem in two steps: > > 1. openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat > 2. dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl > dhparam -inform der > /etc/dovecot/dh.pem > > That's what I did on the first installation. ssl-parameters.dat already > existed and I just used the second command to transform it. Now I thought > I must have had generated ssl-parameters.dat with the first command back > then. But apparently I haven't. > > Now I was trying to make steps 1 and 2 and that fails because the > generated ssl-parameters.dat is apparently not the format expected. > > Basically > openssl dhparam 4096 > /etc/dovecot/dh.pem > would do the trick? I misread that from the wiki. Yes. ssl-parameters.dat is a file which contains the generated parameters, and the dd trick is to just to save some time, it basically extracts the DER formatted parameters there and convert them into PEM. ssl-parameters.dat file is not used by Dovecot in any way after 2.3.0 Aki > Before reading your reply I checked > https://www.openssl.org/docs/man1.0.2/apps/dhparam.html > and tried this command: > openssl dhparam -outform DER -out /etc/dovecot/dh-new.pem -2 4096 > (after reading Alexander's reply). > It just finished and dovecot seems to be working with it, although it's > got no DH header line. At least dovecot doesn't complain when starting up. > Anyway, I'll now reuse the dh.pem from no. 1 on the other machines. > > Thanks for the help! > > Kai > >
Re: creation of ssl-parameters fails
Aki Tuomi wrote on Sun, 19 Aug 2018 20:56:28 +0300 (EEST): > openssl gendh 4096 > params.pem Ok. I then misunderstood what's written at https://wiki.dovecot.org/SSL/DovecotConfiguration I thought I need to create dh.pem in two steps: 1. openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat 2. dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem That's what I did on the first installation. ssl-parameters.dat already existed and I just used the second command to transform it. Now I thought I must have had generated ssl-parameters.dat with the first command back then. But apparently I haven't. Now I was trying to make steps 1 and 2 and that fails because the generated ssl-parameters.dat is apparently not the format expected. Basically openssl dhparam 4096 > /etc/dovecot/dh.pem would do the trick? I misread that from the wiki. Before reading your reply I checked https://www.openssl.org/docs/man1.0.2/apps/dhparam.html and tried this command: openssl dhparam -outform DER -out /etc/dovecot/dh-new.pem -2 4096 (after reading Alexander's reply). It just finished and dovecot seems to be working with it, although it's got no DH header line. At least dovecot doesn't complain when starting up. Anyway, I'll now reuse the dh.pem from no. 1 on the other machines. Thanks for the help! Kai
Re: creation of ssl-parameters fails
On 08/19/2018 09:38 AM, Kai Schaetzl wrote: the machine hasn't enough entropy I believe you mentioned that you're using Ubuntu. If so, install haveged.
Re: creation of ssl-parameters fails
Am 19.08.2018 um 17:08 schrieb Kai Schaetzl: I did that the last time one year ago, now on another machine with the same software (Ubuntu 16.04) it fails. openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem last command fails with 681+0 records in 681+0 records out 681 bytes copied, 0,00278343 s, 245 kB/s unable to load DH parameters 139858178938624:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1129: 139858178938624:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:289:Type=DH ssl-parameters.dat is more than double the size as the one that worked. And that one I can still transform: 272+0 records in 272+0 records out 272 bytes copied, 0,00105017 s, 259 kB/s So, something with openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat must be wrong. But what? https://wiki.dovecot.org/SSL/DovecotConfiguration tells to use this command. Thanks! Kai The DH file you run your command against is not DER formatted. Mine is in PEM format and contains -BEGIN DH PARAMETERS- ... -END DH PARAMETERS- Alexander
Re: creation of ssl-parameters fails
> On 19 August 2018 at 20:55 Aki Tuomi wrote: > > > > > On 19 August 2018 at 19:38 Kai Schaetzl wrote: > > > > > > Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300: > > > > > Just generate new parameters on some machine with good entropy source. > > > > So, if it fails to transform (although bigger) the machine hasn't enough > > entropy (because it's quite new?)? I'm generating now on the original > > machine from last year which is still going on while a second run on one > > of the machines where it failed to transform is already finished. So, that > > would indicate it has less entropy? > > Can I re-use the ssl-parameters.dat for several machines or should I > > create a new one for each? > > For the time being I just copied the dh.pem over, to get going, but I > > guess this should only be a temporary workaround? > > > > Thanks! > > > > Kai > > > > > > The transformation probably fails because your ssl-parameters.dat file is > somewhat different than what it usually is, so probably the offset should be > bigger than 88. You could try using skip=152 and see if it works. > > It is not strictly speaking mandatory to have per-installation dh parameters, > you can reuse the generated parameters within your site. > > Aki Oh and for ssl_sh= you can just use the following command, you don't need to use ssl-parameters.dat file at all. openssl gendh 4096 > params.pem Aki
Re: creation of ssl-parameters fails
> On 19 August 2018 at 19:38 Kai Schaetzl wrote: > > > Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300: > > > Just generate new parameters on some machine with good entropy source. > > So, if it fails to transform (although bigger) the machine hasn't enough > entropy (because it's quite new?)? I'm generating now on the original > machine from last year which is still going on while a second run on one > of the machines where it failed to transform is already finished. So, that > would indicate it has less entropy? > Can I re-use the ssl-parameters.dat for several machines or should I > create a new one for each? > For the time being I just copied the dh.pem over, to get going, but I > guess this should only be a temporary workaround? > > Thanks! > > Kai > > The transformation probably fails because your ssl-parameters.dat file is somewhat different than what it usually is, so probably the offset should be bigger than 88. You could try using skip=152 and see if it works. It is not strictly speaking mandatory to have per-installation dh parameters, you can reuse the generated parameters within your site. Aki
Re: creation of ssl-parameters fails
Well, on that machine it took now more than an hour. But it created the same 769 bytes file as on the other machines. And, foreseeable, that one fails to transform as well. -rw-r--r-- 1 root root 360 Aug 7 2017 ssl-parameters.dat -rw-r--r-- 1 root root 769 Aug 19 19:25 ssl-parameters.new.dat I cannot remember how I created the first one, I don't seem to have a record about that. Google says that dovecot would create the ssl- parameters.dat file by itself on first startup. Does or did it do that? If so, then it uses a different creation process. On that machine I had the default dovecot installed and running before going to 2.3. On the new machines I jumped right to 2.3 without ever running 2.2. Maybe 2.3 is not creating this file? Kai
Re: creation of ssl-parameters fails
Aki Tuomi wrote on Sun, 19 Aug 2018 18:21:31 +0300: > Just generate new parameters on some machine with good entropy source. So, if it fails to transform (although bigger) the machine hasn't enough entropy (because it's quite new?)? I'm generating now on the original machine from last year which is still going on while a second run on one of the machines where it failed to transform is already finished. So, that would indicate it has less entropy? Can I re-use the ssl-parameters.dat for several machines or should I create a new one for each? For the time being I just copied the dh.pem over, to get going, but I guess this should only be a temporary workaround? Thanks! Kai
Re: creation of ssl-parameters fails
Just generate new parameters on some machine with good entropy source. ---Aki TuomiDovecot oy Original message From: Kai Schaetzl Date: 19/08/2018 18:08 (GMT+02:00) To: dovecot@dovecot.org Subject: creation of ssl-parameters fails I did that the last time one year ago, now on another machine with the same software (Ubuntu 16.04) it fails. openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem last command fails with 681+0 records in 681+0 records out 681 bytes copied, 0,00278343 s, 245 kB/s unable to load DH parameters 139858178938624:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1129: 139858178938624:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:289:Type=DH ssl-parameters.dat is more than double the size as the one that worked. And that one I can still transform: 272+0 records in 272+0 records out 272 bytes copied, 0,00105017 s, 259 kB/s So, something with openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat must be wrong. But what? https://wiki.dovecot.org/SSL/DovecotConfiguration tells to use this command. Thanks! Kai
creation of ssl-parameters fails
I did that the last time one year ago, now on another machine with the same software (Ubuntu 16.04) it fails. openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam -inform der > /etc/dovecot/dh.pem last command fails with 681+0 records in 681+0 records out 681 bytes copied, 0,00278343 s, 245 kB/s unable to load DH parameters 139858178938624:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1129: 139858178938624:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:289:Type=DH ssl-parameters.dat is more than double the size as the one that worked. And that one I can still transform: 272+0 records in 272+0 records out 272 bytes copied, 0,00105017 s, 259 kB/s So, something with openssl dhparam 4096 > /var/lib/dovecot/ssl-parameters.dat must be wrong. But what? https://wiki.dovecot.org/SSL/DovecotConfiguration tells to use this command. Thanks! Kai