https://bugs.exim.org/show_bug.cgi?id=2822
--- Comment #4 from Ferry <[email protected]> --- Hi, GnuTLS matrix channel referred to: https://gitlab.com/gnutls/gnutls/-/issues/1077 According to the responses there either: gnutls_certificate_set_dh_params or gnutls_certificate_set_known_dh_params should be called. I presume the latter isn't called either, since in our setup tls_dhparam points to a 4096 dhparam set (file in PEM format). -- Not really versed at this level, but there are known parameters referencing the mentioned RFC7919. For example here: https://git.furworks.de/opensourcemirror/opnsense-core/commit/79bf33a1cad1f6c7ca74d47d47bcc25f70cfea4d - since the RFC more or less states these are secure and there being no known advantages (but do reference some disadvantages) versus random, why not include these? If someone would set tls_dhparam I personally think those should be used or the option should be removed. Don't have a preference - it's just that they don't seem to do anything currently (at least, would have expected DHE to work if they were loaded seems the issue seems to stem from there being no dhparams in the stack). Mozilla seems to be using the same, although they only seem to offer the 2048 & 4096 variants here: https://ssl-config.mozilla.org/ffdhe2048.txt https://ssl-config.mozilla.org/ffdhe4096.txt Which they reference (depening on the config) in their SSL/TLS config generator here https://ssl-config.mozilla.org/ (the strong/modern variants only include ECDHE but (some) lower ones on some have comments fetching them with curl). -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
