On Tue, 19 Feb 2019 at 09:07, David C. Rankin <drankinatty@xxxxxxxxxxxxxxxxxx> wrote: > The wiki https://wiki.archlinux.org/index.php/Dovecot#Generate_DH_parameters > shows: > > Generate DH parameters > > To generate a new DH parameters file (this will take very long): > > # openssl dhparam -out /etc/dovecot/dh.pem 4096 > > > The journal message shows: > > dd if=/var/lib/dovecot/ssl-parameters.dat bs=1 skip=88 | openssl dhparam > -inform der > /etc/dovecot/dh.pem > > (which takes a fraction of a second) > > Why the difference? It doesn't seem to matter. For what it's worth, you should probably be using the well known dhparams, see https://wiki.mozilla.org/Security/Server_Side_TLS#Pre-defined_DHE_groups Our wiki needs to be updated.
