the p11-kit configuration files in &_/etc/pkcs11/modules/_&.
See
-&url(http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs)
+&url(http://www.gnutls.org/manual/gnutls.html#Smart-cards-and-HSMs)
for documentation.
.wen
Some of these will be too small to be accepted by clients.
Some may be too large to be accepted by clients.
+The TLS protocol does not negotiate an acceptable size for this; clients tend
+to hard-drop connections if what is offered by the server is unacceptable,
+whether too large or too small, and there's no provision for the client to
+tell the server what these constraints are. Thus, as a server operator, you
+need to make an educated guess as to what is most likely to work for your
+userbase.
+
+Some known size constraints suggest that a bit-size in the range 2048 to 2236
+is most likely to maximise interoperability. The upper bound comes from
+applications using the Mozilla Network Security Services (NSS) library, which
+used to set its &`DH_MAX_P_BITS`& upper-bound to 2236. This affects many
+mail user agents (MUAs). The lower bound comes from Debian installs of Exim4
+prior to the 4.80 release, as Debian used to patch Exim to raise the minimum
+acceptable bound from 1024 to 2048.
+
.option tls_on_connect_ports main "string list" unset
This option specifies a list of incoming SSMTP (aka SMTPS) ports that should
Documentation of the strings accepted may be found in the GnuTLS manual, under
"Priority strings". This is online as
-&url(http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html),
+&url(http://www.gnutls.org/manual/html_node/Priority-Strings.html),
but beware that this relates to GnuTLS 3, which may be newer than the version
installed on your system. If you are using GnuTLS 3,
-&url(http://www.gnu.org/software/gnutls/manual/html_node/Listing-the-ciphersuites-in-a-priority-string.html, then the example code)
+&url(http://www.gnutls.org/manual/gnutls.html#Listing-the-ciphersuites-in-a-priority-string, then the example code)
on that site can be used to test a given string.
Prior to Exim 4.80, an older API of GnuTLS was used, and Exim supported three
This may also be set to a string identifying a standard prime to be used for
DH; if it is set to &`default`& or, for OpenSSL, is unset, then the prime
used is &`ike23`&. There are a few standard primes available, see the
-documetnation for &%tls_dhparam%& for the complete list.
+documentation for &%tls_dhparam%& for the complete list.
See the command
.code