.. title: Goldilocks
.. slug: goldilocks
.. date: 2020-10-04 16:00:37 UTC
.. tags: web, linux, encryption
.. category: 
.. link: 
.. description: 
.. type: text

For our webserver, the ``lefh`` script provided by Hiawatha, which I run daily via a cron job, guarantees that the certificates for the transport encryption are renewed prior to their expiration. For our `IRC server <https://cobra.pdes-net.org/posts/inspircd-3.html>`_, in contrast, I have to do that manually. That might seem like a nuisance, but on the other hand, it gives me the chance to review the current state-of-the-art regarding transport encryption and to bring my configuration to this level. I've previously used `ed25519 <https://en.wikipedia.org/wiki/Curve25519>`_ (which I also choose when generating SSH keys), but `ed448 <https://en.wikipedia.org/wiki/Curve448>`_ seems an even `better choice <https://en.wikipedia.org/wiki/Goldilocks_principle>`_.    

::

	certtool --generate-privkey --key-type ed448 --sec-param ultra --outfile key.pem
	certtool --generate-self-signed --load-privkey key.pem --template cert.cfg --outfile cert.pem
	certtool --get-dh-params --sec-param ultra --outfile dhparams.pem