Loading ...
Sorry, an error occurred while loading the content.

295217Re: Exim, DH, GnuTLS & interop

Expand Messages
  • Phil Pennock
    Sep 3, 2013
    • 0 Attachment
      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: RIPEMD160

      On 2013-09-01 at 19:02 -0400, Wietse Venema wrote:
      > Second, we have to be mindful that Postfix and Exim are not the
      > only MTAs in existence. If placating Exim results in the loss of
      > interoperability with other MTAs, then we may have to reconsider
      > our approach.

      Okay, I have identified the root cause. The systems that need to be
      placated are older Debian installs, and the method should be broadly
      compatible.

      Debian used to patch, in their build system, the value passed to
      gnutls_dh_set_prime_bits() from 1024 to 2048. This is the value of the
      size of the DH parameters which is the "minimum considered acceptable".
      So Debian broke interop with "66_enlarge-dh-parameters-size.dpatch".

      Those maintaining Exim/Postfix setups should upgrade Exim to a recent
      version; after my overhaul back in 4.80, Debian stopped changing the
      value in their patches.

      The most compatible thing I know of for Postfix users to do is to
      generate DH parameters of size 2048, or very slightly larger, but *not*
      larger than 2236, which was for some time the NSS value of
      DH_MAX_P_BITS.

      If anyone knows of an MTA with which interop would be broken by using
      server DH parameters of size 2048, please do let me know.

      - -Phil
      -----BEGIN PGP SIGNATURE-----

      iEYEAREDAAYFAlImO3EACgkQQDBDFTkDY39a6ACaA2XfA32nQ/x4m83xpFEjoB7r
      zK0AmQGZ9HSdaNELVjWQ+YaOZhXMMN0c
      =vd9e
      -----END PGP SIGNATURE-----
    • Show all 10 messages in this topic