From d36416e2fc7a63e81fa8c59b3131364a0ef1b65a Mon Sep 17 00:00:00 2001 From: Bill Cromie Date: Mon, 5 Dec 2016 14:47:04 -0500 Subject: [PATCH] change to dhparam to use the -dsaparam flag. faster, same level of security. also hides the output --- setup/ssl.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/setup/ssl.sh b/setup/ssl.sh index ff368049..d6d6f80c 100755 --- a/setup/ssl.sh +++ b/setup/ssl.sh @@ -19,7 +19,7 @@ # # The Diffie-Hellman cipher bits are used for SMTP and HTTPS, when a # Diffie-Hellman cipher is selected during TLS negotiation. Diffie-Hellman -# provides Perfect Forward Secrecy. +# provides Perfect Forward Secrecy. source setup/functions.sh # load our functions source /etc/mailinabox.conf # load global vars @@ -93,6 +93,9 @@ fi # Generate some Diffie-Hellman cipher bits. # openssl's default bit length for this is 1024 bits, but we'll create # 2048 bits of bits per the latest recommendations. +# use -dsaparam, as it's just as secure, but waaay faster +# http://security.stackexchange.com/questions/95178/diffie-hellman-parameters-still-calculating-after-24-hours if [ ! -f $STORAGE_ROOT/ssl/dh2048.pem ]; then - openssl dhparam -out $STORAGE_ROOT/ssl/dh2048.pem 2048 + hide_output \ + openssl dhparam -dsaparam -out $STORAGE_ROOT/ssl/dh2048.pem 2048 fi