> On March 6, 2016 at 4:45 AM Joseph Tam <[email protected]> wrote: > > > HotSlots Webmaster <[email protected]> writes: > > > I have had Dovecot working fine with SSL for nearly two years now. It's > > time to renew the SSL certificate, so I did (same CA). The new > > certificate works fine in Apache and Postfix. But when I update Dovecot > > to use the same certificate, and restart the server, Dovecot stops > > responding to connects. > > ... > > Here is the end of the dovecot -n file that mentions SSL: > > ... > > ssl_dh_parameters_length = 2048 > > When you start dovecot, does CPU load of dovecot/ssl-params roof to 100%? > It's possible it's generating ephemeral DH keys. In a previous post > to this list, I note that the run time to generate these keys can vary > wildly, and gets worse with longer keys. Sometimes you get lucky, and > you'll generate then quickly, sometimes it takes a long while (minutes). > > http://dovecot.org/pipermail/dovecot/2015-November/102447.html > > Try running > > openssl dhparam -noout 2048 > > to see how it varies for you. If what I suspect is true, you can try > using shorter keys. A followup post suggest a way you can precompute > the key > > Joseph Tam <[email protected]>
We are going to provide ssl_dh parameter in v2.3 which replaces the current ssl parameters daemon with simple PEM encoded file that you provide. --- Aki Tuomi Dovecot Oy
