Hello, I would prefer to use certtool over openssl in order to generate the DH parameter files that I need for my postfix MTA installations, unfortunately it seems as if certtool is not letting me create smaller bit sizes.
Postfix currently accepts two possible settings: http://www.postfix.org/postconf.5.html#smtpd_tls_dh512_param_file http://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file it seems I cannot generate the dh512 param file with certtool: $ certtool --generate-dh-params --bits=512 --outfile=/tmp/dh_512.pem ** Note: Please use the --sec-param instead of --bits Error generating parameters: The request is invalid. I believe that this is a too small bit size, but in a MTA world, I need to be able to gracefully accept smaller bit sizes if a client only can do those. If I do not configure the 512bit file, that means is if someone connects to my MTA who is only offering 512bits of DH, then I would refuse to talk to them and we'd just do it in the clear... that is not a good situation. Postfix will use the better parameters when peers can accept them, but I need to still be able to work with peers that cannot accept the reasonable parameters. I understand the goal of pushing people to use the --sec-param option to automatically make some crypto decisions for people, so they don't need to worry about them, but I would prefer that you do not disable the --bits functionality when the bits are considered too low and let me decide that. thanks! micah _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
