https://bugs.exim.org/show_bug.cgi?id=2095
Bug ID: 2095
Summary: custom dhparams with 2236 bit fail to load with
default tls_dh_max_bits (openssl)
Product: Exim
Version: 4.89
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: TLS
Assignee: jgh146exb@???
Reporter: wbreyha@???
CC: exim-dev@???
I generated custom dhparams with
# openssl dhparam -out dhparams.2017.pem -2 2236
If I ask openssl
----
# openssl dhparam -in dhparams.2017.pem -text
DH Parameters: (2236 bit)
prime:
...
generator: 2 (0x2)
----
it says 2236 bit, but Exim complains loading the file with:
dhparams file 2240 bits, is > tls_dh_max_bits limit of 2236 (nb. <- it seems
the debug output lacks a \n at HEAD:tls-openssl.c:644)
I'm using OpenSSL 1.0.2k both for generating dhparams and Exim runtime.
It seems DH_size causes this because it returns Bytes which get multiplied by 8
=> 2240.
I also found that OpenSSL 1.1.0 added DH_bits().
Meanwhile it seems safe to set tls_dh_max_bits to 2240.
I found no quick way to get the exact size in bits with <1.1.0.
--
You are receiving this mail because:
You are on the CC list for the bug.
