#include <infodrom.style>
#include <debian.style>

<page title="Debian Tips">

<h1 align=center>stunnel: Could not load DH parameters</h1>

<p>After an upgrade from Debian sarge (3.1) to etch or newer you may
encounter the following messages in your <code>daemon.log</code> log
file when you try to access a service secured by <a
href="http://packages.debian.org/stunnel">stunnel</a>:</p>

<p><pre>
   Could not load DH parameters from /etc/ssl/certs/suucp.pem
   Diffie-Hellman initialization failed
   Error reading certificate file: /etc/ssl/certs/suucp.pem
   SSL_CTX_use_certificate_chain_file: error:0906D06C:PEM routines:PEM_read_bio:no start line
</pre></p>

<p>When running as server the new version of stunnel requires not only
the certificate and the primary key in the PEM file but also
initialisation parameters for the Diffie-Hellman algorithm.</p>

<p>The following command will create the missing DH parameters that
need to be appended to the existing PEM file:</p>

<p><pre>
   dd if=/dev/urandom count=2 | openssl dhparam -rand - 512
</pre></p>

<p>The generation of new PEM files is described in the Debian package
in the file <code>README.Debian</code> in the documentation directory.</p>

</page>

# Local variables:
# mode: indented-text
# end: