home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Previous Section Next Section

DHParameters

Parameters for DSA/DH cipher suite V8.11 and later

For Ephemeral Diffie-Hellman encoding, the server first sends either a RSA or a DSA public key. The server then generates, signs, and sends the Diffie-Hellman (DH) parameters and the DH public value.

The DH parameters that are sent are generated or read from a file. The location of that file is defined with this DHParameters option:

O DHParameters=param               configuration file (V8.11 and later) 
-ODHParameters=param               command line (V8.11 and later) 
define(`confDH_PARAMETERS',`param')    mc configuration (V8.11 and later) 

Here, param is one of the items shown in Table 24-17. Note that only the first character is examined, so 5 and 512 are equivalent. Also note that the default is 1024 for the server, and 512 for the client.

Table 24-17. DHParameters parameter items

Item

Meaning

none

No parameters, so don't use DH

512

Generate 512-bit fixed parameters

1024

Generate 1024-bit fixed parameters

/path/file

Read the parameters from a file

If you list the /path/file item, the file referenced must live in a safe path, one that is writable only by root.

If you use an item that is not in the table, one of the following errors will print and be logged, depending on whether sendmail is in the role of a client or server:

STARTTLS=client, error: illegal value 'bad item' for DHParam
STARTTLS=server, error: illegal value 'bad item' for DHParam

This option should be defined only if a cipher suite containing DSA/DH is used. Otherwise, you should leave it undefined.

The DHParameters option is not safe. If specified from the command line, it can cause sendmail to relinquish its special privileges.

    Previous Section Next Section