OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Exim dislikes the Postfix DH-cipher-length

From: Peer Heinlein (p.heinleinheinlein-support.de)
Date: Sun Sep 01 2013 - 06:59:38 CDT


For using ECDHE ("perfect forward secrecy") it's necessary to define two
files with DH-primes:

rootmx2:~# postconf | grep dh_
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem

ECDHE work's fine, but not with older versions of Exim:

013-08-27 14:57:40 1VEIq4-0001mV-BC TLS error on connection to
mx0.jpberlin.de [91.198.250.20] (gnutls_handshake): The Diffie-Hellman
prime sent by the server is not acceptable (not long enough)

Those exim versions expect a length of 2048 (hardcoded), just in newer
versions it's possible to configure the necessary length down to 512 or
1024.

We're not sure who does right and who not.

*) Looks like Postfix isn't able to use a length of 2048. Why?

*) Or is it a mistake in Exim, because nobody uses 2048 and Exim
shouldn't expect that length by default (or at all)?

Peer

--
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-42
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG: HRB 93818 B / Amtsgericht
Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin