X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/83f4c7515f3eb06dc070e78edd2694c1d088e5fd..ae5afa61184b6c9b39f58804032b32b42e3ba44e:/doc/doc-txt/GnuTLS-FAQ.txt?ds=sidebyside diff --git a/doc/doc-txt/GnuTLS-FAQ.txt b/doc/doc-txt/GnuTLS-FAQ.txt index be46753e4..897087582 100644 --- a/doc/doc-txt/GnuTLS-FAQ.txt +++ b/doc/doc-txt/GnuTLS-FAQ.txt @@ -103,9 +103,9 @@ signed. MD5 was once very popular. It still is far too popular. Real world attacks have been proven possible against MD5. Including an attack against PKI (Public Key Infrastructure) certificates used for SSL/TLS. In that attack, -the attackers got a certificate for one identity but we able to then public a -certificate with the same signature but a different identity. This undermines -the whole purpose of having certificates. +the attackers got a certificate for one identity but were able to then publish +a certificate with the same signature but a different identity. This +undermines the whole purpose of having certificates. So GnuTLS stopped trusting any certificate with an MD5-based hash used in it. The world has been hurriedly moving away from MD5 in certificates for a while. @@ -150,7 +150,7 @@ unset, so that you get one of the standard built-in primes used for DH. DH, Diffie-Hellman (or Diffie-Hellman-Merkle, or something naming Williamson) is the common name for a way for two parties to a communication stream to exchange some private random data so that both end up with a shared secret -which no evesdropper can get. It does not provide for proof of the identity +which no eavesdropper can get. It does not provide for proof of the identity of either party, so on its own is subject to man-in-the-middle attacks, but is often combined with systems which do provide such proof, improving them by separating the session key (the shared secret) from the long-term identity, @@ -159,7 +159,7 @@ and so protecting past communications from a break of the long-term identity. To do this, the server sends to the client a very large prime number; this is in the clear, an attacker can see it. This is not a problem; it's so not a problem, that there are standard named primes which applications can use, and -which a future release of Exim will probably support. +which Exim now supports. The size of the prime number affects how difficult it is to break apart the shared secret and decrypt the data. As time passes, the size required to @@ -177,13 +177,14 @@ such matters than the Exim folks, we just say "er, what they said". One of the new pieces of the GnuTLS API is a means for an application to ask it for guidance and advice on how large some numbers should be. This is not -entirely internal to GnuTLS since generating the numbers is slow, an +entirely internal to GnuTLS, since generating the numbers is slow, an application might want to use a standard prime, etc. So, in an attempt to get away from being involved in cryptographic policy, and to get rid of a hard-coded "1024" in Exim's source-code, we switched to asking GnuTLS how many -bits should be in the prime number generated for use for Diffie-Hellman. To -give back to GnuTLS for use We can ask for various sizes, and did not expose -this to the administrator but instead just asked for "NORMAL" protection. +bits should be in the prime number generated for use for Diffie-Hellman. We +then give this number straight back to GnuTLS when generating a DH prime. +We can ask for various sizes, and did not expose this to the administrator but +instead just asked for "NORMAL" protection. Literally: dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL); @@ -248,7 +249,7 @@ left with no way to actually know the size of the freshly generated DH prime. Thus we check if the the value returned is at least 10 more than the minimum we'll accept as a client (EXIM_CLIENT_DH_MIN_BITS, see below, defaults to -512) and if it is, we subtract 10. Then we reluctantly deploy a strategy +1024) and if it is, we subtract 10. Then we reluctantly deploy a strategy called "hope". This is not guaranteed to be successful; in the first code pass on this logic, we subtracted 3, asked for 2233 bits and got 2240 in the first test. @@ -275,11 +276,7 @@ prime from section 2.2 of RFC 5114. A TLS client does not get to choose the DH prime used, but can choose a minimum acceptable value. For Exim, this is a compile-time constant called -"EXIM_CLIENT_DH_MIN_BITS" of 512, which can be overruled in "Local/Makefile". -(It should be higher, but some real-world sites are using dangerously small -values. Although some might argue that our old size of 1024 was dangerously -low; "opinions vary". This is expected to be a configure file option for -the Exim 4.81 release.) +"EXIM_CLIENT_DH_MIN_BITS" of 1024, which can be overruled in "Local/Makefile". @@ -303,7 +300,7 @@ NORMAL.) See Q8. The current documentation, for the most recent release of GnuTLS, is available online at: - http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html + http://www.gnutls.org/manual/html_node/Priority-Strings.html Beware that if you are not using the most recent GnuTLS release then this documentation will be wrong for you! You should find the "info" documentation