On Sun, 2006-02-05 at 11:54 -0500, Jaldhar H. Vyas wrote: > "DH parameters are now set for SSL to get forward secrecy, and Dovecot > doesn't really start until it sees them for the first time. The first > generation may take minutes, or even longer if you have an old computer." > > Timo, Do you recommend we include pregenerated parameters?
Dovecot should finish building them within a few minutes unless it's being done on a really old computer, so I wouldn't really recommend doing that.. > How would we do that? Well, you could just take one ssl-parameters.dat file and distribute it in the Debian package.. I'm not sure about its safety though. OpenSSL gives a couple of DH parameters that are "guaranteed" to be safe, but I'm not sure if that means anything else than that the random number generator was seeded well. Hmm. One thing that Dovecot could do would be to exec() itself when building the SSL parameters with --build-ssl-parameters option so it's clearly visible what the process is doing. I'll do that..
signature.asc
Description: This is a digitally signed message part
