Gitweb:
http://git.exim.org/exim.git/commitdiff/cb66e5ee237d34f906e5b7a8907f6b0e6ad69a58
Commit: cb66e5ee237d34f906e5b7a8907f6b0e6ad69a58
Parent: a799883d8ad340d935db4d729a31c02cb8a1d977
Author: Phil Pennock <pdp@???>
AuthorDate: Sun May 27 10:02:12 2012 -0400
Committer: Phil Pennock <pdp@???>
CommitDate: Sun May 27 10:02:12 2012 -0400
Doc: SECTgnutlsparam referencing tls_dhparam
---
doc/doc-docbook/spec.xfpt | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index beb0522..c71dfb1 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -25061,6 +25061,12 @@ implementation, then patches are welcome.
.section "GnuTLS parameter computation" "SECTgnutlsparam"
.new
+This section only applies if &%tls_dhparam%& is set to &`historic`& or to
+an explicit path; if the latter, then the text about generation still applies,
+but not the chosen filename.
+By default, as of Exim 4.80 a hard-coded D-H prime is used.
+See the documentation of &%tls_dhparam%& for more information.
+
GnuTLS uses D-H parameters that may take a substantial amount of time
to compute. It is unreasonable to re-compute them for every TLS session.
Therefore, Exim keeps this data in a file in its spool directory, called
@@ -25076,6 +25082,10 @@ place, new Exim processes immediately start using it.
For maximum security, the parameters that are stored in this file should be
recalculated periodically, the frequency depending on your paranoia level.
+If you are avoiding using the fixed D-H primes published in RFCs, then you
+are concerned about some advanced attacks and will wish to do this; if you do
+not regenerate then you might as well stick to the standard primes.
+
Arranging this is easy in principle; just delete the file when you want new
values to be computed. However, there may be a problem. The calculation of new
parameters needs random numbers, and these are obtained from &_/dev/random_&.
