[gnutls-help] --bits should not arbitrarily prohibit me from creating small dh params

Micah Anderson micah at riseup.net
Fri Sep 27 02:56:58 CEST 2013


I would prefer to use certtool over openssl in order to generate the DH
parameter files that I need for my postfix MTA installations,
unfortunately it seems as if certtool is not letting me create smaller
bit sizes. 

Postfix currently accepts two possible settings:


it seems I cannot generate the dh512 param file with certtool:

$ certtool --generate-dh-params --bits=512 --outfile=/tmp/dh_512.pem
** Note: Please use the --sec-param instead of --bits         
Error generating parameters: The request is invalid.

I believe that this is a too small bit size, but in a MTA world, I need
to be able to gracefully accept smaller bit sizes if a client only can
do those. If I do not configure the 512bit file, that means is if
someone connects to my MTA who is only offering 512bits of DH, then I
would refuse to talk to them and we'd just do it in the clear... that is
not a good situation. Postfix will use the better parameters when peers
can accept them, but I need to still be able to work with peers that
cannot accept the reasonable parameters.

I understand the goal of pushing people to use the --sec-param option to
automatically make some crypto decisions for people, so they don't need
to worry about them, but I would prefer that you do not disable the
--bits functionality when the bits are considered too low and let me
decide that.


More information about the Gnutls-help mailing list