Re: [exim-dev] Remove RSA_EXPORT support

2006-10-23 Thread Marc Haber 
On Mon, Oct 23, 2006 at 10:16:37AM +0100, Philip Hazel wrote:
> I think that 4.51 was sufficiently long ago (May 2005) that this can be 
> handled by suitable documentation. I have added information about this 
> to the README.UPDATING file for the next release. Thanks for pointing 
> out the problem.

Debian needs to worry about that since our "stable" users are still on
4.50. We're going to solve this by using file(1) on the dh-params file
and delete it on upgrade if file(1) says the file is
application/octet-stream, which is the old format.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details 
at http://www.exim.org/ ##

Re: [exim-dev] Remove RSA_EXPORT support

2006-10-23 Thread Philip Hazel 
On Sun, 22 Oct 2006, Andreas Metzler wrote:

> The patch slightly breaks backwards compatibility. Exim is not able
> anymore to read old-format (4.50 and earlier) gnutlsparams file. - It
> is necessary to remove the old file on upgrades from older versions,
> otherwise exim aborts TLS connections with 
> 
> TLS error on connection from ... (DH params import): Base64 decoding error.

I think that 4.51 was sufficiently long ago (May 2005) that this can be 
handled by suitable documentation. I have added information about this 
to the README.UPDATING file for the next release. Thanks for pointing 
out the problem.

-- 
Philip HazelUniversity of Cambridge Computing Service
Get the Exim 4 book:http://www.uit.co.uk/exim-book

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details 
at http://www.exim.org/ ##

Re: [exim-dev] Remove RSA_EXPORT support

2006-10-22 Thread Andreas Metzler 
On 2006-10-16 Philip Hazel <[EMAIL PROTECTED]> wrote:
> On Sun, 8 Oct 2006, Marc Haber wrote:

> > Florian Weimer has made a patch removing RSA_EXPORT support from Exim.
> > This patch removes blocking on /dev/random from the DH parameter
> > generation, which is a big source of trouble for the Debian packages.

> This patch is now committed. As Florian promised, it seems to make no 
> difference to Exim's actual operation, other than not to waste time 
> computing parameters that are never used.

The patch slightly breaks backwards compatibility. Exim is not able
anymore to read old-format (4.50 and earlier) gnutlsparams file. - It
is necessary to remove the old file on upgrades from older versions,
otherwise exim aborts TLS connections with 

TLS error on connection from ... (DH params import): Base64 decoding error.

cu andreas
-- 
The 'Galactic Cleaning' policy undertaken by Emperor Zhark is a personal
vision of the emperor's, and its inclusion in this work does not constitute
tacit approval by the author or the publisher for any such projects,
howsoever undertaken.(c) Jasper Ffforde

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details 
at http://www.exim.org/ ##

Re: [exim-dev] Remove RSA_EXPORT support

2006-10-16 Thread Florian Weimer 
* Philip Hazel:

> On Sun, 8 Oct 2006, Marc Haber wrote:
>
>> Florian Weimer has made a patch removing RSA_EXPORT support from Exim.
>> This patch removes blocking on /dev/random from the DH parameter
>> generation, which is a big source of trouble for the Debian packages.
>
> This patch is now committed. As Florian promised, it seems to make no 
> difference to Exim's actual operation, other than not to waste time 
> computing parameters that are never used.

Thanks, Philip.  I managed to find an old mailing list posting with
TLS statistics for SMTP:



No trace of RSA_EXPORT, as far as I can tell.

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details 
at http://www.exim.org/ ##

Re: [exim-dev] Remove RSA_EXPORT support

2006-10-16 Thread Philip Hazel 
On Sun, 8 Oct 2006, Marc Haber wrote:

> Florian Weimer has made a patch removing RSA_EXPORT support from Exim.
> This patch removes blocking on /dev/random from the DH parameter
> generation, which is a big source of trouble for the Debian packages.

This patch is now committed. As Florian promised, it seems to make no 
difference to Exim's actual operation, other than not to waste time 
computing parameters that are never used.

Philip

-- 
Philip Hazel, University of Cambridge Computing Service.

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details 
at http://www.exim.org/ ##

Re: [exim-dev] Remove RSA_EXPORT support

2006-10-12 Thread Philip Hazel 
On Thu, 12 Oct 2006, Marc Haber wrote:

> Philip, are you planning to apply this patch to mainline exim before
> 4.64? If not, I'll have to think about backing out the patch of
> Debian's production 4.63 packages.

Yes, I am. Probably next week.

-- 
Philip HazelUniversity of Cambridge Computing Service
Get the Exim 4 book:http://www.uit.co.uk/exim-book

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details 
at http://www.exim.org/ ##

Re: [exim-dev] Remove RSA_EXPORT support

2006-10-12 Thread Marc Haber 
On Tue, Oct 10, 2006 at 09:30:47AM +0100, Philip Hazel wrote:
> On Mon, 9 Oct 2006, Florian Weimer wrote:
> > The new key exchange algorithm list is:
> > 
> > static const int kx_priority[16] = {
> >   GNUTLS_KX_RSA,
> >   GNUTLS_KX_DHE_DSS,
> >   GNUTLS_KX_DHE_RSA,
> >   0 };
> > 
> > So RSA is still available (and it's still used according to my server
> > logs).
> 
> Oh, OK, I clearly don't understand enough about this! Thanks.

I originally intended to only enable this patch in Debian's
experimental package of the exim development snapshot, but
accidentally enabled the patch also for the "production" version which
has been uploaded to unstable the day before yesterday.

Philip, are you planning to apply this patch to mainline exim before
4.64? If not, I'll have to think about backing out the patch of
Debian's production 4.63 packages.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details 
at http://www.exim.org/ ##

Re: [exim-dev] Remove RSA_EXPORT support

2006-10-10 Thread Philip Hazel 
On Mon, 9 Oct 2006, Florian Weimer wrote:

> The new key exchange algorithm list is:
> 
> static const int kx_priority[16] = {
>   GNUTLS_KX_RSA,
>   GNUTLS_KX_DHE_DSS,
>   GNUTLS_KX_DHE_RSA,
>   0 };
> 
> So RSA is still available (and it's still used according to my server
> logs).

Oh, OK, I clearly don't understand enough about this! Thanks.

-- 
Philip HazelUniversity of Cambridge Computing Service
Get the Exim 4 book:http://www.uit.co.uk/exim-book

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details 
at http://www.exim.org/ ##

Re: [exim-dev] Remove RSA_EXPORT support

2006-10-09 Thread Florian Weimer 
* Philip Hazel:

> At a quick look, it seems to remove *all* RSA support, just leaving the 
> D-H support. Is that correct? Surely we want Exim to support both RSA 
> encryption and D-H encryption? Or have I missed something here?

The new key exchange algorithm list is:

static const int kx_priority[16] = {
  GNUTLS_KX_RSA,
  GNUTLS_KX_DHE_DSS,
  GNUTLS_KX_DHE_RSA,
  0 };

So RSA is still available (and it's still used according to my server
logs).

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details 
at http://www.exim.org/ ##

Re: [exim-dev] Remove RSA_EXPORT support

2006-10-09 Thread Philip Hazel 
On Sun, 8 Oct 2006, Marc Haber wrote:

> Florian Weimer has made a patch removing RSA_EXPORT support from Exim.
> This patch removes blocking on /dev/random from the DH parameter
> generation, which is a big source of trouble for the Debian packages.
> 
> I intend to use this patch on the Debian packages after testing on my
> systems for a few days.
> 
> Would this patch be applicable for the Exim distribution as well?

I'll run my tests on it; I guess if they all work it seems reasonable to 
consider applying it, but I'm not at all an expert on this stuff. I
suspect that Florian knows a lot more than I do about it.

> - Forwarded message from Florian Weimer <[EMAIL PROTECTED]> -
> 
> > The attached patches remove RSA_EXPORT support from Exim. 

At a quick look, it seems to remove *all* RSA support, just leaving the 
D-H support. Is that correct? Surely we want Exim to support both RSA 
encryption and D-H encryption? Or have I missed something here?

-- 
Philip HazelUniversity of Cambridge Computing Service
Get the Exim 4 book:http://www.uit.co.uk/exim-book

-- 
## List details at http://www.exim.org/mailman/listinfo/exim-dev Exim details 
at http://www.exim.org/ ##