Auteur: Phil Pennock Datum: Aan: exim-users Onderwerp: Re: [exim] Exim, GnuTLS 3.1.7 and up, DH TLS
On 2013-09-02 at 08:56 +0200, Heiko Schlittermann wrote: > Newer Exims (4.8x) seem to have a lower default when using GnuTLS. If I rise
> the dh_min_bits to 2048 I see the same behaviour as with the 4.76 version.
>
> tls_require_ciphers I didn't try yet, but I'll do.
I've tracked down the problem. In older releases, Debian used to patch
up the value passed to gnutls_dh_set_prime_bits() to 2048, so they broke
TLS interop with most non-Exim deployments of mail-servers with EDH
support, since AFAIK most other software defaults the parameters
generated, for server-side, to 1024 bits.
This is why I couldn't find the issue in the Exim source.