Hi,
"Fundemap S.A. - Sergio Sánchez" <administracion3@???> (Fr 01 Apr 2016 19:18:32 CEST):
> Hi,
>
> i'm having tls errors like this:
> TLS error on connection to mail.xxxx1.com.ar [ip] (gnutls_handshake): The
> Diffie-Hellman prime sent by the server is not acceptable (not long enough).
> TLS error on connection from mail.xxxx2.com.ar (nameserver) [ip]
> (gnutls_handshake): A record packet with illegal version was received.
If I remember well, this was a problem that only occured on Debian
systems.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684340
I think the problem is caused by a debian specific „enhancement“ of the
GnutTLS libs. They require a certain minimum length of the DH prime.
(In more detail and in my understanding, it may be completly wrong:
Exim just uses GnuTLS/OpenSSL with defaults settings, and the default
settings of GnuTLS were safe. But Debian maintainers decided to rise the
minimum requirements in the GnuTLS runtime.)
Often the other side (here in DE mostly big ISPs) doesn't follow that
requirement and thus the connection falls back to non-TLS (if
acceptable).
> My config is:
> exim4 -bV
> Exim version 4.71 #1 built 01-Jan-2010 14:03:12
> Copyright (c) University of Cambridge, 1995 - 2007
..
> GnuTLS compile-time version: 2.8.5
> GnuTLS runtime version: 2.8.5
> Configuration file is /var/lib/exim4/config.autogenerated
commit 3375e053c40dacf62a7eac02d52438a43398c053
Author: Phil Pennock <pdp@???>
Date: Sun May 20 21:49:40 2012 -0400
Added tls_dh_max_bits & check tls_require_ciphers early.
I'm not sure if it's enough to change the GnuTLS runtime.
Exim has an option tls_dh_max_bits, I think, it was created to solve
this problem. It's in the source since 4.80 RC2, so 4.80 should contain
that option already.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -