On Wed, Jan 15, 2014 at 05:55:26AM -0800, Todd Lyons wrote:
> There is a line in src/ssl-gnu.c:
>
> #define EXIM_CLIENT_DH_MIN_BITS 1024
>
> Apparently some (all?) servers at yahoo are using gnutls with a lower
> setting. You might be able to override this and rebuild exim (though
> that's not advised, you'll create problems for people sending to you).
> This is not a runtime setting, only build time.
No. Yahoo's server key exchange message is 525 bytes, which is
large enough for a 2048-bit RSA signature (256 bytes) + 2 1024-bit
values (p, g^S), a short generator and a key exchange algorithm
number. They sure seem to be using a 1024-bit prime.
The OP can try wireshark if a more complete decode is desired.
> > After some googling I thought maybe my self signed TLS key was not strong
> > enough and so regenerated it with -
>
> Nah, it's not your key with the problem, it's the other side.
No, it is the OP's problem, but with his dh_min_bits configuration, not
his private key or certificate.
--
Viktor.
