Re: [exim] Exim, GnuTLS 3.1.7 and up, DH TLS

Top Pagina
Delete this message
Reply to this message
Auteur: Phil Pennock
Datum:  
Aan: exim-users
Onderwerp: Re: [exim] Exim, GnuTLS 3.1.7 and up, DH TLS
On 2013-09-02 at 08:56 +0200, Heiko Schlittermann wrote:
> Newer Exims (4.8x) seem to have a lower default when using GnuTLS. If I rise
> the dh_min_bits to 2048 I see the same behaviour as with the 4.76 version.
>
> tls_require_ciphers I didn't try yet, but I'll do.


I've tracked down the problem. In older releases, Debian used to patch
up the value passed to gnutls_dh_set_prime_bits() to 2048, so they broke
TLS interop with most non-Exim deployments of mail-servers with EDH
support, since AFAIK most other software defaults the parameters
generated, for server-side, to 1024 bits.

This is why I couldn't find the issue in the Exim source.

- -Phil