On 07/02/2024 20:02, mike tancsa wrote:
Thanks for the continued sendmail support! One question, I noticed the
new mc file makes the following changes which refers to a file that does
not normally exist on RELENG_13. What is the best way to generate that
file ?
[..]
@@ -606,7 +607,7 @@
# Directory containing hashes pointing to certificate revocation
status files
#O CRLPath
# DHParameters (only required if DSA/DH is used)
-#O DHParameters
+O DHParameters=/etc/mail/certs/dh.param
Almost any network daemon today can use DHParams files, but each have
it's own location and some of them provide the script to re-generate it
periodically. There was a PR about it for ProFTPD few years ago:
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208953
As a quick POC, I've provided a simple dhparams_gen.sh script.
https://bugs.freebsd.org/bugzilla/attachment.cgi?id=247526&action=edit
I thing something like this can be included in the base and all services
from ports and base should be configured to use the same dhparams.pem
file easily managed from cron, or manually by one simple command.
The submitted script generates DH params from 1024 to 8192. From what I
read on the net, 1024 and 1536 should not be used and from my experience
generating anything above 4096 takes too much time (the script runs for
hours on a not so modern machine) so I created another version of the
dhparams_gen.sh where user can specify what sizes will be generated by
defining the range, for example "2048 4096" will generate only 2048 3072
4096 sizes.
It is very simple scripting and as nobody reacted to the PR I didn't
post the newer version. I can send it to you I you want.
Kind regards
Miroslav Lachman
