Bug#676563: exim4: new minimumum Diffie-Hellman length breaks sending, not configurable
Kevin Mitchell
kevmitch at math.sfu.ca
Thu Jun 7 19:51:51 UTC 2012
Source: exim4
Version: 4.80-2
Severity: important
This breaks relaying to my smarthost which requires secure
authentication, but apparently doesn't have the new required DH size of
2048.
from /var/log/exim4/mainlog:
2012-06-07 11:57:56 1Schu8-0005cQ-SD <= kevmitch at math.sfu.ca U=kevmitch P=local S=472 id=20120607185756.GA21542 at math.sfu.ca
2012-06-07 11:58:02 1Schu8-0005cQ-SD TLS error on connection to pobox.sfu.ca [142.58.101.28] (gnutls_handshake): The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
Maybe a key shorter than 2048 is "insecure", but most people (myself
included) are not in a position to "fix" their smarthost. This wouldn't
be so bad as a default, except that as far as I can tell, there is no
way to configure it short of recompiling without 66_enlarge-dh-parameters-size.dpatch.
I would recommend either dropping the patch or adding a runtime configuation option.
Kevin
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (600, 'unstable'), (500, 'testing'), (400, 'stable'), (300, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.4.1.01 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Pkg-exim4-maintainers
mailing list