Re: [exim] Exim, GnuTLS 3.1.7 and up, DH TLS

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MHeiko Schlittermann at <-
M 
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-users
Subject: Re: [exim] Exim, GnuTLS 3.1.7 and up, DH TLS
On 2013-09-02 at 08:56 +0200, Heiko Schlittermann wrote:
> Newer Exims (4.8x) seem to have a lower default when using GnuTLS. If I rise
> the dh_min_bits to 2048 I see the same behaviour as with the 4.76 version.
>
> tls_require_ciphers I didn't try yet, but I'll do.

I've tracked down the problem. In older releases, Debian used to patch
up the value passed to gnutls_dh_set_prime_bits() to 2048, so they broke
TLS interop with most non-Exim deployments of mail-servers with EDH
support, since AFAIK most other software defaults the parameters
generated, for server-side, to 1024 bits.

This is why I couldn't find the issue in the Exim source.

- -Phil

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] ratelimit combined with dnslistsRe: [exim] Problem of comparing of large numbers.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)