Bug#684340: exim tls fails: Diffie-Hellman prime too short

Suresh Ramasubramanian suresh at hserus.net
Wed Sep 11 06:01:47 UTC 2013 

Package: exim4
Version: 4.80-7
Followup-For: Bug #684340

This issue is still around in 4.80-7 on wheezy.

Longish thread on postfix-users as well, with an exim developer (Phil Pennock)
discussing this bug with Wietse and Viktor Dukhovni.

66_enlarge-dh-parameters-size.dpatch in gnutls is the issue cause, forcing high
Diffie Hellman primes to be required.

http://postfix.1071664.n5.nabble.com/Exim-DH-GnuTLS-interop-tp61003p61097.html
http://postfix.1071664.n5.nabble.com/Exim-DH-GnuTLS-interop-tp61003p61100.html

Possibly good crypto but extremely bad for interoperability, and obviously ends
up in a lot of email being sent out unencrypted / cleartext when at least a
base level of TLS should have been available and usable.

Setting tls_dh_min_bits=512 in remote_smtp does help mitigate it.

If you use a monolithic config rather than a split config, and have it persist
across releases once the config is stabilized ..

thanks
--srs

-- Package-specific info:
Exim version 4.80 #2 built 02-Jan-2013 19:40:19
Copyright (c) University of Cambridge, 1995 - 2012
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2012
Berkeley DB: Berkeley DB 5.1.29: (October 25, 2011)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /etc/exim4/exim4.conf
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to replace
# the DEBCONFsomethingDEBCONF strings in the configuration template files.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='none'
dc_other_hostnames='frodo.hserus.net'
dc_local_interfaces=''
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
mailname:frodo.hserus.net

-- System Information:
Debian Release: 7.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.utf8)
Shell: /bin/sh linked to /bin/dash

Versions of packages exim4 depends on:
ii  debconf [debconf-2.0]  1.5.49
ii  exim4-base             4.80-7
ii  exim4-daemon-heavy     4.80-7

exim4 recommends no packages.

exim4 suggests no packages.

-- debconf information:
  exim4/drec:

More information about the Pkg-exim4-maintainers mailing list