X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/5b257915c7b51e64b90bc6d89520514e0f4d4164..201f5254b5bbba620893cd607ea182bc25c123d2:/doc/doc-docbook/spec.xfpt?ds=sidebyside diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 75a5ac02c..9c2bf199f 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -6026,16 +6026,16 @@ that it implements the details of the specific authentication mechanism, i.e. PLAIN or LOGIN. The &%server_advertise_condition%& setting controls when Exim offers authentication to clients; in the examples, this is only when TLS or SSL has been started, so to enable the authenticators you also -need to add support for TLS as described in &<>&. +need to add support for TLS as described in section &<>&. The &%server_condition%& setting defines how to verify that the username and password are correct. In the examples it just produces an error message. To make the authenticators work, you can use a string expansion -expression like one of the examples in &<>&. +expression like one of the examples in chapter &<>&. Beware that the sequence of the parameters to PLAIN and LOGIN differ; the -usercode and password are in different positions. &<>& -covers both. +usercode and password are in different positions. +Chapter &<>& covers both. .ecindex IIDconfiwal @@ -15697,6 +15697,10 @@ by Thunderbird, while GnuTLS was suggesting 2432 bits as normal. If you prefer more security and are willing to break some clients, raise this number. + +Note that the value passed to GnuTLS for *generating* a new prime may be a +little less than this figure, because GnuTLS is inexact and may produce a +larger prime than requested. .wen @@ -15708,8 +15712,8 @@ This is used only for OpenSSL. When Exim is linked with GnuTLS, this option is ignored. See section &<>& for further details. .new -If the DH bit-count from loading the file is greater than tls_dh_max_bits then -it will be ignored. +If the DH bit-count from loading the file is greater than &%tls_dh_max_bits$& +then it will be ignored. .wen @@ -25070,6 +25074,10 @@ renaming. The relevant commands are something like this: # chown exim:exim new-params # chmod 0600 new-params # certtool --generate-dh-params --bits 2236 >>new-params +# openssl dhparam -noout -text -in new-params | head +[ check the first line, make sure it's not more than 2236; + if it is, then go back to the start ("rm") and repeat + until the size generated is at most the size requested ] # chmod 0400 new-params # mv new-params gnutls-params-2236 .endd @@ -25092,6 +25100,12 @@ The filename and bits used will change as the GnuTLS maintainers change the value for their parameter &`GNUTLS_SEC_PARAM_NORMAL`&, as clamped by &%tls_dh_max_bits%&. At the time of writing (mid 2012), GnuTLS 2.12 recommends 2432 bits, while NSS is limited to 2236 bits. + +In fact, the requested value will be *lower* than &%tls_dh_max_bits%&, to +increase the chance of the generated prime actually being within acceptable +bounds, as GnuTLS has been observed to overshoot. Note the check step in the +procedure above. There is no sane procedure available to Exim to double-check +the size of the generated prime, so it might still be too large. .wen