On 2012-05-30 at 12:34 +0200, Wolfgang Breyha wrote: > RC7 runs smoothly so far. Only "new" stuff in my logs I found is: > 2012-05-30 12:07:56 1SZfop-0005Dd-Kw TLS error on connection to > service13.mimecast.com [91.220.42.7] (gnutls_handshake): The Diffie-Hellman > prime sent by the server is not acceptable (not long enough). > > Connecting to this host with gnutls-cli offers a VeriSign Cert and
Above that: *** Starting TLS handshake - Ephemeral Diffie-Hellman parameters - Using prime: 768 bits - Secret key: 767 bits - Peer's public key: 768 bits I set 1024, which has been the size issued by Exim for a very long time, and is very short when considered in light of: http://www.keylength.com/en/3/ So 768 is *lower* than: Very short-term protection against small organizations Should not be used for confidentiality in new systems and so falls into the criteria of: Attacks in "real-time" by individuals Only acceptable for authentication tag size Thus the size chosen by that site is into the "fooling yourself" level of security. If you have contacts with them, you might want to let them know that they've got a security misconfiguration. To unbreak for this release, I will lower the hard-coded minimum from 1024 to 512. Eww. For 4.81, I will switch this limit to be a configure-time option, defaulting to 1000 and lowerable to 512. Those who want more security can raise the limit. I'll make it an expanded transport option, so it can be configured per connection and folks exchanging data with cooperative systems can raise the minimum. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
