(Not) funny. I was wrong on BOTH counts. It is a runtime configuration and it is the user's problem. I guess I have been fortunate enough to have only ever used OpenSSL because it has always just worked without need for tweaking.
...Todd On Wed, Jan 15, 2014 at 12:18 PM, Viktor Dukhovni <[email protected]> wrote: > On Wed, Jan 15, 2014 at 05:55:26AM -0800, Todd Lyons wrote: > >> There is a line in src/ssl-gnu.c: >> >> #define EXIM_CLIENT_DH_MIN_BITS 1024 >> >> Apparently some (all?) servers at yahoo are using gnutls with a lower >> setting. You might be able to override this and rebuild exim (though >> that's not advised, you'll create problems for people sending to you). >> This is not a runtime setting, only build time. > > No. Yahoo's server key exchange message is 525 bytes, which is > large enough for a 2048-bit RSA signature (256 bytes) + 2 1024-bit > values (p, g^S), a short generator and a key exchange algorithm > number. They sure seem to be using a 1024-bit prime. > > The OP can try wireshark if a more complete decode is desired. > >> > After some googling I thought maybe my self signed TLS key was not strong >> > enough and so regenerated it with - >> >> Nah, it's not your key with the problem, it's the other side. > > No, it is the OP's problem, but with his dh_min_bits configuration, not > his private key or certificate. > > -- > Viktor. > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ -- The total budget at all receivers for solving senders' problems is $0. If you want them to accept your mail and manage it the way you want, send it the way the spec says to. --John Levine -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
