Re: [exim] Diffie-Hellman?

Top Page
Delete this message
Reply to this message
Author: Todd Lyons
Date:  
To: Oliver Howe
CC: exim-users
Subject: Re: [exim] Diffie-Hellman?
On Wed, Jan 15, 2014 at 3:02 AM, Oliver Howe <ojhowe@???> wrote:
> I've recently started seeing these error messages when sending to yahoo
>
> 2014-01-15 10:49:55 1W3O2j-0002iY-Mv TLS error on connection to
> mta5.am0.yahoodns.net [98.138.112.34] (gnutls_handshake): The
> Diffie-Hellman prime sent by the server is not acceptable (not long enough)


There is a line in src/ssl-gnu.c:

#define EXIM_CLIENT_DH_MIN_BITS 1024

Apparently some (all?) servers at yahoo are using gnutls with a lower
setting. You might be able to override this and rebuild exim (though
that's not advised, you'll create problems for people sending to you).
This is not a runtime setting, only build time.

> After some googling I thought maybe my self signed TLS key was not strong
> enough and so regenerated it with -


Nah, it's not your key with the problem, it's the other side.

...Todd

--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine