Re: TLS (smtpserver): TLS engine: cannot load DH parameters from our cert file

[Matti Aarnio <mea@nic.funet.fi>]

On Sun, Feb 23, 2003 at 01:38:33PM +0100, Artur Meski wrote:
> After smtpserver startup I get the following log messages:
> 
> WMTLTSx0000#    TLS engine: cannot load DH parameters from our cert file
> WMTLTSx0000#    79029:error:0906D06C:PEM routines:PEM_read_bio:no start line:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/pem/pem_lib.c:663:Expecting: DH PARAMETERS:
> 
> What's wrong?

The explanation I found is in source code:

	/*
	 * We might also need dh parameters, which can either be
	 * loaded from file (preferred) or we simply take the compiled
	 * in values.
	 *
	 * First, set the callback that will select the values when
	 * requested, then load the (possibly) available DH parameters
	 * from files.
	 *
	 * We are generous with the error handling, since we do have
	 * default values compiled in, so we will not abort but just
	 * log the error message.
	 */


I will alter the message text to be less alarmistic.

OpenSSL documentation says:

  The DHparams functions process DH parameters using a DH structure.
  The parameters are encoded using a PKCS#3 DHparameter structure.

Which, again, does not say much, but relates somehow to newer keys,
and the ways how Diffie-Hellman key-exchange CAN be done.


> Here's part of my smtpserver.conf relative to tls.
> 
> PARAM use-tls
> PARAM tls-CAfile        $MAILVAR/db/smtpserver-CAcert.pem
> PARAM tls-cert-file     $MAILVAR/db/smtpserver-cert.pem
> PARAM tls-key-file      $MAILVAR/db/smtpserver-key.pem
> 
> -- 
> // Artur Meski // email: artur@cifrid.net // www: artur.black.pl //

-- 
/Matti Aarnio	<mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi