Date: Thu, 8 Feb 2024 12:01:20 +0100 From: Ruben van Staveren <ruben@verweg.com> To: Ruben van Staveren via freebsd-stable <freebsd-stable@freebsd.org> Cc: mike tancsa <mike@sentex.net>, Gregory Shapiro <gshapiro@freebsd.org>, Miroslav Lachman <000.fbsd@quip.cz> Subject: Re: sendmail 8.18.1 MFC'ed to stable/13 and stable/14 Message-ID: <4CEF6CCD-2BB5-4677-9D81-55F23E9FA89A@verweg.com> In-Reply-To: <dd579cb4-559f-4a05-a2d9-e9709cd27ada@quip.cz> References: <kuweloin2as6rvj46zff4kfm5lhyess73hdloiw2ggkpmzukhp@mzrzjmdli4yc> <c1a30751-daba-4321-bcff-4175f07c0b73@sentex.net> <dd579cb4-559f-4a05-a2d9-e9709cd27ada@quip.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_0E050745-1CC6-4219-AE3F-6005D4BBBC5C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi all,=20 As for the dhparams file, lets use the ffdhe4096 as per RFC7919 one and = stop continuing generating these ourselves. The file can be grabbed from e.g. = https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdh= e4096.pem Not seeing any reason to use the weaker ffdhe3072 / ffdhe2048 for = backwards compatibility, but ymmv. Best Regards, Ruben > On 8 Feb 2024, at 11:06, Miroslav Lachman <000.fbsd@quip.cz> wrote: >=20 > On 07/02/2024 20:02, mike tancsa wrote: >> Thanks for the continued sendmail support! One question, I noticed = the new mc file makes the following changes which refers to a file that = does not normally exist on RELENG_13. What is the best way to generate = that file ? >=20 > [..] >=20 >> @@ -606,7 +607,7 @@ >> # Directory containing hashes pointing to certificate revocation = status files >> #O CRLPath >> # DHParameters (only required if DSA/DH is used) >> -#O DHParameters >> +O DHParameters=3D/etc/mail/certs/dh.param >=20 >=20 > Almost any network daemon today can use DHParams files, but each have = it's own location and some of them provide the script to re-generate it = periodically. There was a PR about it for ProFTPD few years ago: >=20 > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D208953 >=20 > As a quick POC, I've provided a simple dhparams_gen.sh script. > https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D247526&action=3Ded= it >=20 > I thing something like this can be included in the base and all = services from ports and base should be configured to use the same = dhparams.pem file easily managed from cron, or manually by one simple = command. >=20 > The submitted script generates DH params from 1024 to 8192. =46rom = what I read on the net, 1024 and 1536 should not be used and from my = experience generating anything above 4096 takes too much time (the = script runs for hours on a not so modern machine) so I created another = version of the dhparams_gen.sh where user can specify what sizes will be = generated by defining the range, for example "2048 4096" will generate = only 2048 3072 4096 sizes. > It is very simple scripting and as nobody reacted to the PR I didn't = post the newer version. I can send it to you I you want. >=20 > Kind regards > Miroslav Lachman >=20 --Apple-Mail=_0E050745-1CC6-4219-AE3F-6005D4BBBC5C Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii <html><head><meta http-equiv=3D"content-type" content=3D"text/html; = charset=3Dus-ascii"></head><body style=3D"overflow-wrap: break-word; = -webkit-nbsp-mode: space; line-break: after-white-space;">Hi = all, <div><br></div><div>As for the dhparams file, lets use the = ffdhe4096 as per RFC7919 one and stop continuing generating these = ourselves.</div><div>The file can be grabbed from e.g. <a = href=3D"https://raw.githubusercontent.com/internetstandards/dhe_groups/mas= ter/ffdhe4096.pem">https://raw.githubusercontent.com/internetstandards/dhe= _groups/master/ffdhe4096.pem</a></div><div><br></div><div>Not seeing any = reason to use the weaker ffdhe3072 / ffdhe2048 for backwards = compatibility, but ymmv.</div><div><br></div><div>Best = Regards,</div><div> Ruben</div><div><br = id=3D"lineBreakAtBeginningOfMessage"><div><br><blockquote = type=3D"cite"><div>On 8 Feb 2024, at 11:06, Miroslav Lachman = <000.fbsd@quip.cz> wrote:</div><br = class=3D"Apple-interchange-newline"><div><div>On 07/02/2024 20:02, mike = tancsa wrote:<br><blockquote type=3D"cite">Thanks for the continued = sendmail support! One question, I noticed the new mc file = makes the following changes which refers to a file that does not = normally exist on RELENG_13. What is the best way to generate that = file ?<br></blockquote><br>[..]<br><br><blockquote type=3D"cite">@@ = -606,7 +607,7 @@<br> # Directory containing hashes pointing to = certificate revocation status files<br> #O CRLPath<br> # = DHParameters (only required if DSA/DH is used)<br>-#O DHParameters<br>+O = DHParameters=3D/etc/mail/certs/dh.param<br></blockquote><br><br>Almost = any network daemon today can use DHParams files, but each have it's own = location and some of them provide the script to re-generate it = periodically. There was a PR about it for ProFTPD few years = ago:<br><br>https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D208953<br>= <br>As a quick POC, I've provided a simple dhparams_gen.sh = script.<br>https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D247526&am= p;action=3Dedit<br><br>I thing something like this can be included in = the base and all services from ports and base should be configured to = use the same dhparams.pem file easily managed from cron, or manually by = one simple command.<br><br>The submitted script generates DH params from = 1024 to 8192. =46rom what I read on the net, 1024 and 1536 should not be = used and from my experience generating anything above 4096 takes too = much time (the script runs for hours on a not so modern machine) so I = created another version of the dhparams_gen.sh where user can specify = what sizes will be generated by defining the range, for example "2048 = 4096" will generate only 2048 3072 4096 sizes.<br>It is very simple = scripting and as nobody reacted to the PR I didn't post the newer = version. I can send it to you I you want.<br><br>Kind = regards<br>Miroslav = Lachman<br><br></div></div></blockquote></div><br></div></body></html>= --Apple-Mail=_0E050745-1CC6-4219-AE3F-6005D4BBBC5C--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4CEF6CCD-2BB5-4677-9D81-55F23E9FA89A>