Bug#676563: exim4: new minimumum Diffie-Hellman length breaks sending, not configurable

Thu Jun 21 17:47:47 UTC 2012

On 2012-06-21 Eric Cooper <ecc at cmu.edu> wrote:
> Package: exim4
> Followup-For: Bug #676563

> This problem still exists for me in version 4.80-3.
> I'm using smtp.srv.cs.cmu.edu as smarthost, and I get this error:

> 2012-06-20 18:40:40 1ShRfu-0001AA-8c TLS error on connection to smtp.srv.cs.cmu.edu [128.2.217.15] (gnutls_handshake): The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
> 2012-06-20 18:40:40 1ShRfu-0001AA-8c TLS session failure: delivering unencrypted to smtp.srv.cs.cmu.edu [128.2.217.15] (not in hosts_require_tls)

> I downgraded to 4.77-1 and my configuration works again.

> I tried setting tls_dh_min_bits to several lower values, but it didn't
> help. (Perhaps I was doing it wrong.)

Hello,
With the default setting, I also see the error:

(SID)root at argenau:/# exim4 -bP transport remote_smtp_smarthost | grep tls_dh_min
tls_dh_min_bits = 1024
(SID)root at argenau:/# echo foo | exim -f '<>' -d+all  invalid at example.com
[...]
28546   SMTP>> STARTTLS
28546 waiting for data on socket
28546 read response data: size=30
28546   SMTP<< 220 2.0.0 Ready to start TLS
28546 initialising GnuTLS as a client on fd 7
28546 GnuTLS global init required.
28546 initialising GnuTLS client session
28546 Expanding various TLS configuration options for session credentials.
28546 TLS: no client certificate specified; okay
28546 TLS: tls_verify_certificates not set or empty, ignoring
28546 GnuTLS using default session cipher/priority "NORMAL"
28546 Setting D-H prime minimum acceptable bits to 1024
28546 TLS: server certificate verification not required
28546 LOG: MAIN
28546   TLS error on connection to smtp.srv.cs.cmu.edu [128.2.217.15] (gnutls_handshake): The Diffie-Hellman prime sent by the server is not acceptable (not long enough).

However downgrading the security works for me:

(SID)root at argenau:/# echo TLS_DH_MIN_BITS = 512 >> /etc/exim4/exim4.conf.localmacros
(SID)root at argenau:/# /etc/init.d/exim4 restart
[...]
(SID)root at argenau:/# exim4 -bP transport remote_smtp_smarthost | grep tls_dh_min
tls_dh_min_bits = 512
(SID)root at argenau:/# echo foo | exim -f '<>' -d+all  invalid at example.com
[...]
28546   SMTP>> STARTTLS
28546 waiting for data on socket
28546 read response data: size=30
28546   SMTP<< 220 2.0.0 Ready to start TLS
28546 initialising GnuTLS as a client on fd 7
28546 GnuTLS global init required.
28546 initialising GnuTLS client session
28546 Expanding various TLS configuration options for session credentials.
28546 TLS: no client certificate specified; okay
28546 TLS: tls_verify_certificates not set or empty, ignoring
28546 GnuTLS using default session cipher/priority "NORMAL"
28546 Setting D-H prime minimum acceptable bits to 512
28546 TLS: server certificate verification not required
28546 gnutls_handshake was successful
28546 cipher: TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128

How did you try to downgrade the tls_dh_min_bits setting and to which
value?

> Also, is there a debugging
> option that would allow me to determine the prime size that the CMU
> server is using?

You can use gnutls-cli as debugging tool:

ametzler at argenau:~$ gnutls-cli -s smtp.srv.cs.cmu.edu -p 25
[...]
220 smtp03.srv.cs.cmu.edu ESMTP Sendmail 8.13.6/8.13.6; Thu, 21 Jun 2012 13:09:17 -0400 (EDT)
ehlo foo
250-smtp03.srv.cs.cmu.edu Hello 91-115-38-95.adsl.highway.telekom.at [91.115.38.95], pleased to meet you
250-ENHANCEDSTATUSCODES
[...]
STARTTLS
220 2.0.0 Ready to start TLS
[Press <Ctrl>-D now]
*** Starting TLS handshake
[...]
- Ephemeral Diffie-Hellman parameters
 - Using prime: 512 bits
 - Secret key: 511 bits
 - Peer's public key: 512 bits
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
[...]

cu andreas
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'