On Fri, 14 Aug 2015 22:10:20 +0200, Gilles Chehade wrote:
> I don't think removing the compiled-in value is a good idea.
I agree.
> People can already load their own DH parameters from a file and having
> safely generated compiled parameters as default fallback doesn't hurt.
Aha, I missed the "
On Fri, Aug 14, 2015 at 06:23:11AM -0600, Todd C. Miller wrote:
> > Related to this: smtpd(8) has compiled-in 1024-bit DH parameters.
> > This probably wants at least bumping to 2048 though I wonder if it
> > might be better to remove the compiled-in value completely and
> > require it to be read f
On Fri, 14 Aug 2015 11:07:17 +0100, Stuart Henderson wrote:
> Generally looks good but one thing I'm wondering about.
>
> > +.Dl # openssl genrsa -out /etc/ssl/private/mail.example.com.key 4096
> > +.Pp
> > +This would generate a 4096-bit
>
> Is 4096-bit overkill? When we updated ssl(8) we settl
Am Freitag, den 14.08.2015, 11:07 +0100 schrieb Stuart Henderson:
> Is 4096-bit overkill? When we updated ssl(8) we settled on 2048-bit
> though
> that's more aimed at https where response time is more important.
http://www.keylength.com/en/ gives an overview about the keylength
recommendations o
On 2015/08/13 17:20, Todd C. Miller wrote:
> Some mail servers (notably gmail) have stoppped supporting TLS using
> DSA keys. I've adapted the bits in smtpd.conf(5) to fit.
Generally looks good but one thing I'm wondering about.
> +.Dl # openssl genrsa -out /etc/ssl/private/mail.example.com.key
Some mail servers (notably gmail) have stoppped supporting TLS using
DSA keys. I've adapted the bits in smtpd.conf(5) to fit.
- todd
Index: share/man/man8/starttls.8
===
RCS file: /cvs/src/share/man/man8/starttls.8,v
retrieving rev