https://bugs.exim.org/show_bug.cgi?id=2822
--- Comment #4 from Ferry <freaky@???> ---
Hi,
GnuTLS matrix channel referred to:
https://gitlab.com/gnutls/gnutls/-/issues/1077
According to the responses there either:
gnutls_certificate_set_dh_params or gnutls_certificate_set_known_dh_params
should be called.
I presume the latter isn't called either, since in our setup tls_dhparam points
to a 4096 dhparam set (file in PEM format).
--
Not really versed at this level, but there are known parameters referencing the
mentioned RFC7919. For example here:
https://git.furworks.de/opensourcemirror/opnsense-core/commit/79bf33a1cad1f6c7ca74d47d47bcc25f70cfea4d
- since the RFC more or less states these are secure and there being no known
advantages (but do reference some disadvantages) versus random, why not include
these?
If someone would set tls_dhparam I personally think those should be used or the
option should be removed. Don't have a preference - it's just that they don't
seem to do anything currently (at least, would have expected DHE to work if
they were loaded seems the issue seems to stem from there being no dhparams in
the stack).
Mozilla seems to be using the same, although they only seem to offer the 2048 &
4096 variants here:
https://ssl-config.mozilla.org/ffdhe2048.txt
https://ssl-config.mozilla.org/ffdhe4096.txt
Which they reference (depening on the config) in their SSL/TLS config generator
here
https://ssl-config.mozilla.org/ (the strong/modern variants only include
ECDHE but (some) lower ones on some have comments fetching them with curl).
--
You are receiving this mail because:
You are on the CC list for the bug.