Re: [exim] Exim TLS security, DH and standard parameters

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Phil Pennock at <-
MMJeremy Harris at ->
Delete this message
Reply to this message
Author: Lena
Date:  
To: exim-users
Subject: Re: [exim] Exim TLS security, DH and standard parameters
> From: Phil Pennock

> Short version: used to be utterly horrible for OpenSSL users; got
> better, but we now believe not as much better as we'd hoped; we now
> believe that for GnuTLS users, things got a little worse instead of
> being a no-op. In the next version of Exim (4.88) it's better still by
> default, but manually generating a file for your `tls_dhparam` setting
> avoids the issue, always has, and is the best way forward.

Am I understanding you correctly? That you recommend every
Exim admin using OpenSSL to specify in the beginning of Exim config

tls_dhparam = /path/dhparam.pem

where the file should be generated once with commands

openssl dhparam -out /path/dhparam.pem 2236
chown root:mail /path/dhparam.pem
chmod 640 /path/dhparam.pem

For FreeBSD the /path/ can be /usr/local/etc/exim/

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] 2nd Stage DNS blockingRe: [exim] Exim TLS security, DH and standard parameters->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)