Autor: Phil Pennock Datum: To: Wolfgang Breyha, Jeremy Harris, exim-dev Betreff: Re: [exim-dev] 4.80 final?
On 2012-05-27 at 00:19 -0400, Phil Pennock wrote: > This is strange. Exim should have been using a file named
> "gnutls-params-2236", for the number of bits in the file.
>
> Oh crap. I know what it is. GnuTLS generates *approximately* the
> number of bits requested, and can go over. OpenSSL is more exact, but
> takes significantly longer.
>
> Crap crap crap. I'll lower the default value of tls_dh_max_bits, so
> that even when generation goes over, the count will *probably* only be
> 2236 and NSS will work.
>
> You probably had a 2237 bit key in the file.
I spent some time trying to find an API call to interrogate the size so
we could retry until the value was acceptable. I failed to find one.
I've mailed the GnuTLS mailing-list, suggesting such a call might be
Quite Useful.
There is no sane way I can find to hook into get the value, except
perhaps another debug hook which extracts data from the text string
passed in.
So, first pass, I subtracted 3 from the tls_dh_max_bits, to request
2233. In my first test, the generated DH prime had 2240 bits.
We now subtract 10, if tls_dh_max_bits is at least 1034.
We're still using a strategy called "hope". This is Not Good (tm).