On Thu, May 26, 2016 at 05:35:56PM +0000, admin@??? wrote:
> https://bugs.exim.org/show_bug.cgi?id=1837
>
> --- Comment #5 from Luke Valenta <luke.valenta@???> ---
> Yes, my mistake. You are correct that DH_check_pub_key is not called from the
> Exim code, and you should not have to worry about calling it. I believe that it
> is called during the SSL_accept function (which is called from Exim).
>
> In light of this, the only changes that should be made to the Exim code are
> replacing the Diffie-Hellman parameters for DSA groups 22, 23, and 24 with a
> version that includes the orders of their subgroups. I've attached a git patch
> with updated DH parameters, as generated by the following OpenSSL commands:
>
> Group 22:
> openssl genpkey -genparam -algorithm DH -outform PEM -pkeyopt dh_rfc5114:1
>
> Group 23:
> openssl genpkey -genparam -algorithm DH -outform PEM -pkeyopt dh_rfc5114:2
>
> Group 24:
> openssl genpkey -genparam -algorithm DH -outform PEM -pkeyopt dh_rfc5114:3
Mind you, an even better approach is to remove support for these
groups.
--
Viktor.
