STARTTLS DSA vs RSA
I have an OpenBSD system with sendmail/TLS configured according to starttls(8) which calls for DSA keys. I have a situation where an MS Exchange Server contacts my sendmail in an attempt to transfer a message. The transfer fails with no shared cypher. This sendmail handles over 10k messages per day, so DSA is clearly supported by most in email-land. About twice a year, this shared cypher issue comes up. I am not a full time administrator and am not wise to the ways of all things email and crypto, so my question is: Why does starttls(8) describe only DSA ? Is this just because nobody has updated the man page, and are there reasons to prefer one over the other? I am being pressured to fix this. Should I dig into this and figure out how to use both? It looks like the easy thing to do is regenerate the certs with RSA alone. Is that advisable? Thanks, Ray
Re: STARTTLS DSA vs RSA
On Thu, Mar 8, 2012 at 1:49 PM, Raymond Lillard r...@sonic.net wrote: Why does starttls(8) describe only DSA ? ... Is this just because nobody has updated the man page, and are there reasons to prefer one over the other? For quite a while, DSA *was* the Mandatory-To-Implement authentication algorithm for TLS. That changed only after RSA went out of patent protection. Updating the page would be a good thing, if anyone has time... I am being pressured to fix this. Should I dig into this and figure out how to use both? It looks like the easy thing to do is regenerate the certs with RSA alone. Is that advisable? IMO, that's probably the best thing to do. If you have some sort of PKI infrastructure around your existing key(s), then it _might_ be useful to rebuild sendmail to support configuring it with *both* RSA and DSA keys, but I doubt it would be worth the complexity. Philip Guenther
