295217Re: Exim, DH, GnuTLS & interop
- Sep 3, 2013-----BEGIN PGP SIGNED MESSAGE-----
On 2013-09-01 at 19:02 -0400, Wietse Venema wrote:
> Second, we have to be mindful that Postfix and Exim are not the
> only MTAs in existence. If placating Exim results in the loss of
> interoperability with other MTAs, then we may have to reconsider
> our approach.
Okay, I have identified the root cause. The systems that need to be
placated are older Debian installs, and the method should be broadly
Debian used to patch, in their build system, the value passed to
gnutls_dh_set_prime_bits() from 1024 to 2048. This is the value of the
size of the DH parameters which is the "minimum considered acceptable".
So Debian broke interop with "66_enlarge-dh-parameters-size.dpatch".
Those maintaining Exim/Postfix setups should upgrade Exim to a recent
version; after my overhaul back in 4.80, Debian stopped changing the
value in their patches.
The most compatible thing I know of for Postfix users to do is to
generate DH parameters of size 2048, or very slightly larger, but *not*
larger than 2236, which was for some time the NSS value of
If anyone knows of an MTA with which interop would be broken by using
server DH parameters of size 2048, please do let me know.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
- << Previous post in topic Next post in topic >>