[exim-dev] [Bug 2095] New: custom dhparams with 2236 bit fai…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 2095] custom dhparams with 2236 bit fail to load with default tls_dh_max_bits (openssl), [exim-dev] [Bug 2095] custom dhparams with 2236 bit fail to load with default tls_dh_max_bits (openssl), [exim-dev] [Bug 2095] custom dhparams with 2236 bit fail to load with default tls_dh_max_bits (openssl), [exim-dev] [Bug 2095] custom dhparams with 2236 bit fail to load with default tls_dh_max_bits (openssl), [exim-dev] [Bug 2095] custom dhparams with 2236 bit fail to load with default tls_dh_max_bits (openssl), [exim-dev] [Bug 2095] custom dhparams with 2236 bit fail to load with default tls_dh_max_bits (openssl)
Subject: [exim-dev] [Bug 2095] New: custom dhparams with 2236 bit fail to load with default tls_dh_max_bits (openssl)
https://bugs.exim.org/show_bug.cgi?id=2095

            Bug ID: 2095
           Summary: custom dhparams with 2236 bit fail to load with
                    default tls_dh_max_bits (openssl)
           Product: Exim
           Version: 4.89
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
          Assignee: jgh146exb@???
          Reporter: wbreyha@???
                CC: exim-dev@???


I generated custom dhparams with
# openssl dhparam -out dhparams.2017.pem -2 2236

If I ask openssl
----
# openssl dhparam -in dhparams.2017.pem -text
    DH Parameters: (2236 bit)
        prime:
...
        generator: 2 (0x2)
----
it says 2236 bit, but Exim complains loading the file with:
dhparams file 2240 bits, is > tls_dh_max_bits limit of 2236 (nb. <- it seems
the debug output lacks a \n at HEAD:tls-openssl.c:644)


I'm using OpenSSL 1.0.2k both for generating dhparams and Exim runtime.

It seems DH_size causes this because it returns Bytes which get multiplied by 8
=> 2240.

I also found that OpenSSL 1.1.0 added DH_bits().

Meanwhile it seems safe to set tls_dh_max_bits to 2240.

I found no quick way to get the exact size in bits with <1.1.0.

--
You are receiving this mail because:
You are on the CC list for the bug.