From: Mark Wooding Date: Wed, 20 Apr 2016 00:52:52 +0000 (+0100) Subject: base.m4: Be slacker about DH lengths. X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/commitdiff_plain/7b50997dc5e3447c61790f2eeb2cda34c0f3a229?hp=8fa6a8430272f7c9f56f409f6ab9abf1a4ec4b26 base.m4: Be slacker about DH lengths. Reduce the minimum size for general outbound SMTP to about 512 bits, because (a) any DH is better than none, and (b) Exim will defer rather than switching to plaintext if the receiving SMTP advertises STARTTLS. Also introduce new transports with lower limits, and be consistent about actually undershooting the advertised limit by four bits. --- diff --git a/base.m4 b/base.m4 index 25328e7..e78194a 100644 --- a/base.m4 +++ b/base.m4 @@ -418,7 +418,7 @@ smtp: driver = smtp APPLY_HEADER_CHANGES tls_require_ciphers = CONF_acceptable_ciphers - tls_dh_min_bits = 1020 + tls_dh_min_bits = 508 tls_tempfail_tryclear = true m4_define(<:SMTP_TRANS_DHBITS:>, @@ -441,10 +441,14 @@ m4_define(<:SMTP_TRANS_DHBITS:>, {CONF_acceptable_ciphers}) tls_dh_min_bits = $1 tls_tempfail_tryclear = true:>)m4_dnl +smtp_dhbits_512: + SMTP_TRANS_DHBITS(508) +smtp_dhbits_768: + SMTP_TRANS_DHBITS(764) smtp_dhbits_1024: SMTP_TRANS_DHBITS(1020) smtp_dhbits_2048: - SMTP_TRANS_DHBITS(2046) + SMTP_TRANS_DHBITS(2044) ## Transport to a local SMTP server; use TLS and perform client ## authentication.