[exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Old-Topics: [exim-dev] [Bug 2822] New: Issues with DHE ciphers - problems with GnuTLS implementation?
Subject: [exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS
https://bugs.exim.org/show_bug.cgi?id=2822

--- Comment #10 from Simon Arlott <bugzilla.exim.simon@???> ---
(In reply to Jeremy Harris from comment #5)
> (In reply to Ferry from comment #4)
> > According to the responses there either:
> > gnutls_certificate_set_dh_params or gnutls_certificate_set_known_dh_params
> > should be called.
>
> For both of those the GnuTLS docs say
> "This function is unnecessary and discouraged on GnuTLS 3.6.0 or
>        later. Since 3.6.0, DH parameters are negotiated following
>        RFC7919."

>
> We're doing what those docs say. It they are *wrong* then it's a bug
> in GnuTLS, or in the GnuTLS docs. We'd like to know, but I see no project
> acknowlegement of the issue in the Gitlab page you reference, or action.


The comments on https://gitlab.com/gnutls/gnutls/-/issues/1077 by the GnuTLS
project team indicate that if neither function is used then the client would
have to indicate which DH parameters should be used. In the absence of that,
Exim is going to have to call one of them.

gnutls_certificate_set_known_dh_params() would be more appropriate than
gnutls_certificate_set_dh_params()

--
You are receiving this mail because:
You are on the CC list for the bug.