That should no doubt work, but it doesn't appear to be ideal for current use. While I think BC is referring to signed certs, what we're referring to here is the key exchange portion of the ciphers used with SSL. My (somewhat limited) understanding is that they use related technology, but their application here is different.
Sam's implementation of tls-dhparams-file appears appropriate for this day and age. It's up to the admin to generate this file with whatever key length is deemed appropriate for the application. The former various key lengths are a relic left over from when export rules were restrictive according to key lengths. My only concern with using 2048 bit dh params is something I saw warning that some servers might not be able to handle keys that big. I doubt that's any longer the case. I just changed my dh1024.pem file to contain 2048 key length dh params. We'll see what happens. Thanks. -- -Eric 'shubes' On 03/28/2014 01:12 PM, Marc Gregel wrote: > Eric, > at the moment I use the same file the "normal" qmail installation use. > spamdyke.conf: > tls-dhparams-file=/var/qmail/control/dh1024.pem > > > > 2014-03-28 20:08 GMT+01:00 Eric Shubert > <e...@shubes.net <mailto:e...@shubes.net>>: > > On 02/05/2014 06:34 AM, Marc Gregel wrote: > > Just for the records: > > With Version 5.0.0 and the new option "tls-dhparams-file" everything > > works great, TLS uses the strong cipher suites now! > > Thank you :-) > > Marc, > > What key length are you using in your dhparams file? > > -- > -Eric 'shubes' > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > <mailto:spamdyke-users@spamdyke.org> > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > > > > > _______________________________________________ > spamdyke-users mailing list > spamdyke-users@spamdyke.org > http://www.spamdyke.org/mailman/listinfo/spamdyke-users > _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users