Martin Lambers <[EMAIL PROTECTED]> writes: > Hello all! > > I had a few reports of failures with msmtp using GnuTLS: > "The Diffie Hellman prime sent by the server is not acceptable > (not long enough)". See for example > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=440344 . > > It is possible to solve this by adding the line > gnutls_dh_set_prime_bits(session, 512); > > However, there's certainly a reason why the required length was changed, > though I cannot find a related ChangeLog or NEWS entry.
I found the change, it was made roughly 5 years ago: http://git.savannah.gnu.org/gitweb/?p=gnutls.git;a=commitdiff;h=7ebb6052d54458a33e5ba18d2c352db6652e6b91 There is a Changelog entry for it, in ChangeLog.1. No NEWS entry though. > Is it ok to reduce the the required length, or does this have security > implications? I can't seem to find a good reference for this. RFC 4419 seems to suggest 1024 bits for SSH, but it is not clear if the same considerations apply to TLS. RFC 3766 is rather vague, but suggests that 2*K should be ok, where K is the needed symmetric key size. From that 512 bits would be ok, but that makes me confused why RFC 4419 requires more. It would be nice to have a better answer for your question. Nikos, do you recall why you changed the default here? > Can the new function gnutls_priority_init() be used instead of > gnutls_dh_set_prime_bits()? Then the user could set all his special TLS > session requirements using a single interface. That would be nice. Good idea, that should definitely be supported: http://trac.gnutls.org/cgi-bin/trac.cgi/ticket/29 Patches welcome. ;) /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
