On 2016-05-29 at 02:10 -0400, Viktor Dukhovni wrote: > But, (broken record), do yourself a favour and just drop these groups...
We can change the default. We can add new groups. We won't remove documented values, exposed to configuration, short of a release where we are accepting non-backwards-compatible changes. We particularly can't immediately remove a value which was documented as the default. We should "fix" the groups present even if they're no longer the default, so that they're less dangerous. nb: my crypto knowledge is mostly at the "dangerous" level, not skilled. I didn't know that the addition of 'q' made DH stored values into DSA values. This is why, for a long time, we refused to put crypto policy into Exim and tried to just use OpenSSL defaults. We're being bitten here because in 2012 I tried to do the safest thing possible to make DH work for everyone, reliably. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
