[exim-cvs] tls_dhparam size constraint suggestions.

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] tls_dhparam size constraint suggestions.
Gitweb: http://git.exim.org/exim.git/commitdiff/abf05f332065a5cd05e9569945b0e3e12bd7ba92
Commit:     abf05f332065a5cd05e9569945b0e3e12bd7ba92
Parent:     42bfef1e908fe60f8a7a86e66616b51702f1c0fb
Author:     Phil Pennock <pdp@???>
AuthorDate: Wed Sep 4 10:58:51 2013 -0700
Committer:  Phil Pennock <pdp@???>
CommitDate: Wed Sep 4 10:58:51 2013 -0700


    tls_dhparam size constraint suggestions.


    Between NSS and Debian patching of older Exim releases, there's a narrow
    range of values likely to interoperate well.  Document this.
---
 doc/doc-docbook/spec.xfpt |   17 ++++++++++++++++-
 1 files changed, 16 insertions(+), 1 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index ae6e33e..371b28e 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16031,6 +16031,21 @@ The available primes are:
Some of these will be too small to be accepted by clients.
Some may be too large to be accepted by clients.

+The TLS protocol does not negotiate an acceptable size for this; clients tend
+to hard-drop connections if what is offered by the server is unacceptable,
+whether too large or too small, and there's no provision for the client to
+tell the server what these constraints are. Thus, as a server operator, you
+need to make an educated guess as to what is most likely to work for your
+userbase.
+
+Some known size constraints suggest that a bit-size in the range 2048 to 2236
+is most likely to maximise interoperability. The upper bound comes from
+applications using the Mozilla Network Security Services (NSS) library, which
+used to set its &`DH_MAX_P_BITS`& upper-bound to 2236. This affects many
+mail user agents (MUAs). The lower bound comes from Debian installs of Exim4
+prior to the 4.80 release, as Debian used to patch Exim to raise the minimum
+acceptable bound from 1024 to 2048.
+

.option tls_on_connect_ports main "string list" unset
This option specifies a list of incoming SSMTP (aka SMTPS) ports that should
@@ -25686,7 +25701,7 @@ tls_dhparam = none
This may also be set to a string identifying a standard prime to be used for
DH; if it is set to &`default`& or, for OpenSSL, is unset, then the prime
used is &`ike23`&. There are a few standard primes available, see the
-documetnation for &%tls_dhparam%& for the complete list.
+documentation for &%tls_dhparam%& for the complete list.

See the command
.code