Hi all,
As for the dhparams file, lets use the ffdhe4096 as per RFC7919 one and stop
continuing generating these ourselves.
The file can be grabbed from e.g.
https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
Not seeing any reason to use the weaker ffdhe3072 / ffdhe2048 for backwards
compatibility, but ymmv.
Best Regards,
Ruben
> On 8 Feb 2024, at 11:06, Miroslav Lachman <[email protected]> wrote:
>
> On 07/02/2024 20:02, mike tancsa wrote:
>> Thanks for the continued sendmail support! One question, I noticed the new
>> mc file makes the following changes which refers to a file that does not
>> normally exist on RELENG_13. What is the best way to generate that file ?
>
> [..]
>
>> @@ -606,7 +607,7 @@
>> # Directory containing hashes pointing to certificate revocation status
>> files
>> #O CRLPath
>> # DHParameters (only required if DSA/DH is used)
>> -#O DHParameters
>> +O DHParameters=/etc/mail/certs/dh.param
>
>
> Almost any network daemon today can use DHParams files, but each have it's
> own location and some of them provide the script to re-generate it
> periodically. There was a PR about it for ProFTPD few years ago:
>
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=208953
>
> As a quick POC, I've provided a simple dhparams_gen.sh script.
> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=247526&action=edit
>
> I thing something like this can be included in the base and all services from
> ports and base should be configured to use the same dhparams.pem file easily
> managed from cron, or manually by one simple command.
>
> The submitted script generates DH params from 1024 to 8192. From what I read
> on the net, 1024 and 1536 should not be used and from my experience
> generating anything above 4096 takes too much time (the script runs for hours
> on a not so modern machine) so I created another version of the
> dhparams_gen.sh where user can specify what sizes will be generated by
> defining the range, for example "2048 4096" will generate only 2048 3072 4096
> sizes.
> It is very simple scripting and as nobody reacted to the PR I didn't post the
> newer version. I can send it to you I you want.
>
> Kind regards
> Miroslav Lachman
>
