On 2012-05-30 at 23:44 +0000, W B Hacker wrote:
> Sorry - I see that cure as worse than the disease.
>
> Potentially FAR worse.
>
> Who is expecting to even need to look at it as part of an upgrade when
> the default had not been broken?
You're quite right.
I thought that this was a *new* check as part of the revamp and that
before there was no minimum bound. I changed so many things I've lost
track.
In fact, *before* changing we had:
#define DH_BITS 1024
/* ... */
gnutls_dh_set_prime_bits(session, DH_BITS);
That's the function call which changes the minimum. So this is *not* a
regression and Exim 4.77 would have been rejecting this too!
Excellent news. I'll revert the change. Wolfgang, if you want to talk
TLS to those folks, you're still able to do so. The
EXIM_CLIENT_DH_MIN_BITS compile-time constant is exposed to
Local/Makefile, and has been since I added it. It wasn't documented, as
it's rather esoteric.
I'll still make it a configure option for 4.81, so I won't document
EXIM_CLIENT_DH_MIN_BITS in spec.txt now, since it's likely to go away
again. Or be repurposed to be the lower bound with a default of 512
while the actual run-time option defaults to 1024.
-Phil