Bug#684340: exim tls fails: Diffie-Hellman prime too short
Florian Weimer
fw at deneb.enyo.de
Wed Sep 11 19:48:25 UTC 2013
* Suresh Ramasubramanian:
> Possibly good crypto but extremely bad for interoperability, and obviously ends
> up in a lot of email being sent out unencrypted / cleartext when at least a
> base level of TLS should have been available and usable.
>
> Setting tls_dh_min_bits=512 in remote_smtp does help mitigate it.
I suppose the simplest mitigation would be to avoid ephemeral
Diffie-Hellman key agreement altogether, that is, remove it from the
cipher suite default.
512 bits DH probably allows passive attacks, so IMHO it's unsuitable
even if the peer's certificate isn't validated in some way (because
like strong DH, this still provides security against passive
eavesdroppers).
More information about the Pkg-exim4-maintainers
mailing list