On 2012-05-27 at 00:19 -0400, Phil Pennock wrote: > This is strange. Exim should have been using a file named > "gnutls-params-2236", for the number of bits in the file. > > Oh crap. I know what it is. GnuTLS generates *approximately* the > number of bits requested, and can go over. OpenSSL is more exact, but > takes significantly longer. > > Crap crap crap. I'll lower the default value of tls_dh_max_bits, so > that even when generation goes over, the count will *probably* only be > 2236 and NSS will work. > > You probably had a 2237 bit key in the file.
I spent some time trying to find an API call to interrogate the size so we could retry until the value was acceptable. I failed to find one. I've mailed the GnuTLS mailing-list, suggesting such a call might be Quite Useful. There is no sane way I can find to hook into get the value, except perhaps another debug hook which extracts data from the text string passed in. So, first pass, I subtracted 3 from the tls_dh_max_bits, to request 2233. In my first test, the generated DH prime had 2240 bits. We now subtract 10, if tls_dh_max_bits is at least 1034. We're still using a strategy called "hope". This is Not Good (tm). -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
