Re: [exim-dev] [exim] 4.80 RC2 TLS interop between GnuTLS an…

Top Page
Delete this message
Reply to this message
Author: Janne Snabb
Date:  
To: exim-dev
Subject: Re: [exim-dev] [exim] 4.80 RC2 TLS interop between GnuTLS and NSS
On 2012-05-21 01:34, Janne Snabb wrote:
> Maybe NSS is unable to create/use bigger keys than 2048 bits?


I found the actual limit in NSS sources in
mozilla/security/nss/lib/freebl/blapit.h:

#define DH_MAX_P_BITS         2236


Thus DHE keys up to 2236 bits do work, but longer keys cause the
observed failure.

Previously the limit was 1024 bits but it was increased to 2236 some
years ago, see the discussion at:
https://bugzilla.mozilla.org/show_bug.cgi?id=259229

The limit is documented here:

https://www.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html

It is also mentioned in the following interesting discussion:

http://sourceforge.net/mailarchive/forum.php?thread_name=4C81BB9E.9010808%40iang.org&forum_name=ssllabs-discuss

Something like the patch below might be needed. Disgusting :(.

---
 src/src/tls-gnu.c |    9 +++++++++
 1 file changed, 9 insertions(+)


diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 51fdb86..3a1cf61 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -395,6 +395,15 @@ DEBUG(D_tls)
       dh_bits);
 #endif


+/* NSS has a limit on D-H ephemeral key size: */
+#define NSS_DH_MAX_P_BITS 2236
+if (dh_bits > NSS_DH_MAX_P_BITS) {
+  dh_bits = NSS_DH_MAX_P_BITS;
+DEBUG(D_tls)
+  debug_printf("Clamping D-H PK size to %d bits to workaround NSS
limit.\n",
+      dh_bits);
+}
+
 if (!string_format(filename, sizeof(filename),
       "%s/gnutls-params-%d", spool_directory, dh_bits))
   return tls_error(US"overlong filename", NULL, NULL);
-- 
1.7.9.5


--
Janne Snabb / EPIPE Communications
snabb@??? - http://epipe.com/