On Friday, May 18 at 04:28 PM, quoth Alex Kirk:
Aha! That's definitely it!
<whew!> Good! 'cuz if it wasn't, then we were in some pretty deep
water.
Thank you so much for continuing to work with me on this. I
*greatly* appreciate it.
Glad I can help!
Meanwhile, for posterity's take, I got dh1024.pem and dh512.pem out of
/usr/src/lib/libssl/src/apps/ on my OpenBSD 3.8 system (you may not have to
generate them, just copy them from somewhere like I did).
No, you *really* need to generate them, and more specifically, you
*really* need to re-generate them periodically.
The problem with permanent SSL certificates (as I understand it, and
I'm no guru on SSL) is that given enough connections, which are all
very regular (for example, you know that the greeting is the same each
time, and you know the general structure of an SMTP conversation) you
can begin to figure out what the certificate is. The way to solve this
problem is to add a little extra to the encryption, that will be
(partialy?) exchanged with the client as part of the diffie-hellman
key-exchange process, and this makes it so that figuring out the
contents of the SSL certificate are safe even though most SMTP
conversations are roughly identical.
That "little extra" is what the dh1024.pem and dh512.pem files are
for. And it's fine to regenerate them as infrequently as once-a-week,
but you really shouldn't use someone else's, and you really should
regenerate them at least once a week.
I'm going to go look at the docs for the starttls patch, because it's
unlike me to have skipped a step like this. Hopefully either I was an idiot
when I installed the patch, or I can submit a doc patch to spare other
people this hassle in the future.
Good luck! (In this case, the docs are inconveniently placed at the
beginning of the patch file, so they're easy to skip and/or not
notice.)
~Kyle
--
History will be kind to me, for I intend to write it.
-- Winston Churchill
pgpJ3uUEorqIF.pgp
Description: PGP signature
|