PP/39 Disable SSLv2 by default in OpenSSL support.
+PP/40 Lower default size of EXIM_CLIENT_DH_MIN_BITS constant (used only by
+ GnuTLS at this time) from 1024 to 512. Cautious folk can override
+ in Local/Makefile.
+
Exim version 4.77
-----------------
Thus we check if the the value returned is at least 10 more than the minimum
we'll accept as a client (EXIM_CLIENT_DH_MIN_BITS, see below, defaults to
-1024) and if it is, we subtract 10. Then we reluctantly deploy a strategy
+512) and if it is, we subtract 10. Then we reluctantly deploy a strategy
called "hope". This is not guaranteed to be successful; in the first code
pass on this logic, we subtracted 3, asked for 2233 bits and got 2240 in the
first test.
A TLS client does not get to choose the DH prime used, but can choose a
minimum acceptable value. For Exim, this is a compile-time constant called
-"EXIM_CLIENT_DH_MIN_BITS" of 1024, which can be overruled in "Local/Makefile".
+"EXIM_CLIENT_DH_MIN_BITS" of 512, which can be overruled in "Local/Makefile".
+(It should be higher, but some real-world sites are using dangerously small
+values. Although some might argue that our old size of 1024 was dangerously
+low; "opinions vary". This is expected to be a configure file option for
+the Exim 4.81 release.)
#endif
#ifndef EXIM_CLIENT_DH_MIN_BITS
-#define EXIM_CLIENT_DH_MIN_BITS 1024
+#define EXIM_CLIENT_DH_MIN_BITS 512
#endif
/* With GnuTLS 2.12.x+ we have gnutls_sec_param_to_pk_bits() with which we
git://git.exim.org / exim.git / commitdiff