(Not) funny. I was wrong on BOTH counts. It is a runtime
configuration and it is the user's problem. I guess I have been
fortunate enough to have only ever used OpenSSL because it has always
just worked without need for tweaking.
...Todd
On Wed, Jan 15, 2014 at 12:18 PM, Viktor Dukhovni
<exim-users@???> wrote:
> On Wed, Jan 15, 2014 at 05:55:26AM -0800, Todd Lyons wrote:
>
>> There is a line in src/ssl-gnu.c:
>>
>> #define EXIM_CLIENT_DH_MIN_BITS 1024
>>
>> Apparently some (all?) servers at yahoo are using gnutls with a lower
>> setting. You might be able to override this and rebuild exim (though
>> that's not advised, you'll create problems for people sending to you).
>> This is not a runtime setting, only build time.
>
> No. Yahoo's server key exchange message is 525 bytes, which is
> large enough for a 2048-bit RSA signature (256 bytes) + 2 1024-bit
> values (p, g^S), a short generator and a key exchange algorithm
> number. They sure seem to be using a 1024-bit prime.
>
> The OP can try wireshark if a more complete decode is desired.
>
>> > After some googling I thought maybe my self signed TLS key was not strong
>> > enough and so regenerated it with -
>>
>> Nah, it's not your key with the problem, it's the other side.
>
> No, it is the OP's problem, but with his dh_min_bits configuration, not
> his private key or certificate.
>
> --
> Viktor.
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine
