[exim-dev] [Bug 1415] New: Diffie-Hellman parameters

Top Page
Delete this message
Reply to this message
Author: Fedor Brunner
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1415] New: Diffie-Hellman parameters
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1415
           Summary: Diffie-Hellman parameters
           Product: Exim
           Version: N/A
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
        AssignedTo: pdp@???
        ReportedBy: fedor.brunner@???
                CC: exim-dev@???



Hi,
in Exim configuration files and documentation (in multiple places), you are
assuming that Mozilla Network Security Services (NSS) library supports maximum
length 2236 bits for Diffie-Hellman parameters.

This limitation has been already removed in NSS 3.14
https://bugzilla.mozilla.org/show_bug.cgi?id=636802

GnuTLS supports up to 15360 bit DH params
OpenSSL supports up to 16384 bit DH params
NSS library supports up to 16384 bit DH params

Please remove the artificial restriction for 2236 bits DH parameters.


Consider also to increase the default DH parameters from 2048 bits to 4096. The
ECRYPT recommendation for DH parameters is 3248 bits for long term protection,
If you are interested in more technical information about key sizes I highly
recommend:

http://www.keylength.com/en/compare/

Yearly Report on Algorithms and Keysizes (2012), D.SPA.20 Rev. 1.0,
ICT-2007-216676 ECRYPT II, 09/2012.

Recommendation for Key Management, Special Publication 800-57 Part 1
Rev. 3, NIST, 07/2012


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email