Phil Pennock wrote:
On 2012-05-30 at 12:34 +0200, Wolfgang Breyha wrote:
RC7 runs smoothly so far. Only "new" stuff in my logs I found is:
2012-05-30 12:07:56 1SZfop-0005Dd-Kw TLS error on connection to
service13.mimecast.com [91.220.42.7] (gnutls_handshake): The Diffie-Hellman
prime sent by the server is not acceptable (not long enough).
Connecting to this host with gnutls-cli offers a VeriSign Cert and
Above that:
*** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
- Using prime: 768 bits
- Secret key: 767 bits
- Peer's public key: 768 bits
I set 1024, which has been the size issued by Exim for a very long time,
and is very short when considered in light of:
http://www.keylength.com/en/3/
So 768 is *lower* than:
Very short-term protection against small organizations
Should not be used for confidentiality in new systems
and so falls into the criteria of:
Attacks in "real-time" by individuals
Only acceptable for authentication tag size
Thus the size chosen by that site is into the "fooling yourself" level
of security. If you have contacts with them, you might want to let them
know that they've got a security misconfiguration.
To unbreak for this release, I will lower the hard-coded minimum from
1024 to 512. Eww.
Sorry - I see that cure as worse than the disease.
Potentially FAR worse.
Who is expecting to even need to look at it as part of an upgrade when
the default had not been broken?
For 4.81, I will switch this limit to be a
configure-time option, defaulting to 1000 and lowerable to 512. Those
who want more security can raise the limit.
Bit of a suicide kit, but at least the gun is not handed-over already
loaded.
I'll make it an expanded
transport option, so it can be configured per connection and folks
exchanging data with cooperative systems can raise the minimum.
-Phil
That last part DOES add value.
JM2CW from the cheap seats...
Bill
--
韓家標
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
