X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/e2fbf4a211bdcff441c50f58f3c1f1fb17f56d61..abf05f332065a5cd05e9569945b0e3e12bd7ba92:/doc/doc-docbook/spec.xfpt?ds=inline diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 29214e3e1..371b28e43 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -13986,7 +13986,7 @@ This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with the p11-kit configuration files in &_/etc/pkcs11/modules/_&. See -&url(http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs) +&url(http://www.gnutls.org/manual/gnutls.html#Smart-cards-and-HSMs) for documentation. .wen @@ -16031,6 +16031,21 @@ The available primes are: Some of these will be too small to be accepted by clients. Some may be too large to be accepted by clients. +The TLS protocol does not negotiate an acceptable size for this; clients tend +to hard-drop connections if what is offered by the server is unacceptable, +whether too large or too small, and there's no provision for the client to +tell the server what these constraints are. Thus, as a server operator, you +need to make an educated guess as to what is most likely to work for your +userbase. + +Some known size constraints suggest that a bit-size in the range 2048 to 2236 +is most likely to maximise interoperability. The upper bound comes from +applications using the Mozilla Network Security Services (NSS) library, which +used to set its &`DH_MAX_P_BITS`& upper-bound to 2236. This affects many +mail user agents (MUAs). The lower bound comes from Debian installs of Exim4 +prior to the 4.80 release, as Debian used to patch Exim to raise the minimum +acceptable bound from 1024 to 2048. + .option tls_on_connect_ports main "string list" unset This option specifies a list of incoming SSMTP (aka SMTPS) ports that should @@ -25597,10 +25612,10 @@ aware of future feature enhancements of GnuTLS. Documentation of the strings accepted may be found in the GnuTLS manual, under "Priority strings". This is online as -&url(http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html), +&url(http://www.gnutls.org/manual/html_node/Priority-Strings.html), but beware that this relates to GnuTLS 3, which may be newer than the version installed on your system. If you are using GnuTLS 3, -&url(http://www.gnu.org/software/gnutls/manual/html_node/Listing-the-ciphersuites-in-a-priority-string.html, then the example code) +&url(http://www.gnutls.org/manual/gnutls.html#Listing-the-ciphersuites-in-a-priority-string, then the example code) on that site can be used to test a given string. Prior to Exim 4.80, an older API of GnuTLS was used, and Exim supported three @@ -25686,7 +25701,7 @@ tls_dhparam = none This may also be set to a string identifying a standard prime to be used for DH; if it is set to &`default`& or, for OpenSSL, is unset, then the prime used is &`ike23`&. There are a few standard primes available, see the -documetnation for &%tls_dhparam%& for the complete list. +documentation for &%tls_dhparam%& for the complete list. See the command .code