Re: [exim-dev] [Bug 1895] Default groups for DH possibly backdoored
On Tue, Mar 19, 2019 at 07:37:37AM +, Andrew C Aitchison via Exim-dev wrote: > > FWIW, Postfix 3.4, released a few weeks ago no longer supports OpenSSL > > versions prior to 1.0.2. > > Not sure from that whether Postfix 3.4 supports OpenSSL 1.0.2 ? It supports 1.1.x, 1.0.2, and nothing earlier. Older OpenSSL releases are still supported with Postfix 3.1, 3.2 and 3.3. My posts are basically lending support to the idea that this may be a good time for *new* Exim releases to require OpenSSL 1.0.2 or later. Now OpenSSL 1.0.2 is slated for EOL at the end of this year, and 1.1.0 (not an LTS release) in September, so one may be tempted to set the floor at 1.1.1, but that would probably leave some supported O/S releases behind, that may still be supporting OpenSSL 1.0.2 beyond its upstream EOL. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1895] Default groups for DH possibly backdoored
https://bugs.exim.org/show_bug.cgi?id=1895 --- Comment #10 from Jeremy Harris --- I take it that the bit of code in OpenSSL dhparam.c around the use of d2i_DHxparams_bio() is relevant? As usual I am finding the OpenSSL docs unhelpful wrt. guidance on actually using the library. I think we need to retain support for PEM files; which means (if I understand correctly about the need for q for sufficient security to enable support for session resumption) that we'll want docs guidance. Can someone who understands crypto say how the need arises, succinctly? We'll also want to describe how to generate the parameter files. We'll also need to look at the GnuTLS support. Currently we use gnutls_dh_params_import_pkcs3() with a PEM flag; it does take DER as an alternate - but I don't know if "pkcs3" implies no q. The function is also "considered obsolete", in favour of using RFC7919 parameters (which are now GnuTLS builtins as well as being Exim builtins) - but note that Exim docs encourage sites to generate their own. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##