From: Mark Wooding <mdw@distorted.org.uk>
Date: Sun, 26 Jan 2014 13:05:32 +0000 (+0000)
Subject: base.m4, exchange.m4, config.m4: Tweak TLS settings.
X-Git-Url: https://git.distorted.org.uk/~mdw/exim-config/commitdiff_plain/b6d742526e8fcf69f22589314ee8f12b7756f026

base.m4, exchange.m4, config.m4: Tweak TLS settings.

Mobile devices object to (a) lack of SHA1, (b) lack of TLSv1.0, and (c)
very large (as they see it) Diffie--Hellman groups.  Fix these things,
grudgingly.
---

diff --git a/base.m4 b/base.m4
index f1701d1..3b3d82f 100644
--- a/base.m4
+++ b/base.m4
@@ -250,7 +250,7 @@ smtp_local:
 	tls_privatekey = CONF_sysconf_dir/client.key
 	tls_verify_certificates = CONF_ca_dir/ca.cert
 	tls_require_ciphers = CONF_good_ciphers
-	tls_dh_min_bits = 3070
+	tls_dh_min_bits = 2046
 	tls_tempfail_tryclear = false
 	authenticated_sender = ${if def:authenticated_id \
 				    {$authenticated_id@CONF_master_domain} \
diff --git a/config.m4 b/config.m4
index 4678f20..d84f648 100644
--- a/config.m4
+++ b/config.m4
@@ -67,10 +67,10 @@ DEFCONF(relay_clients, +trusted)
 ## fairly hard to encourage any kind of crypto on the grounds that probably
 ## nobody can verify our certificate anyway.
 DEFCONF(good_ciphers, NONE<::>m4_dnl
-:+VERS-TLS1.2:+VERS-TLS1.1<::>m4_dnl
+:+VERS-TLS1.2:+VERS-TLS1.1:+VERS-TLS1.0<::>m4_dnl
 :+DHE-RSA:+DHE-DSS<::>m4_dnl
 :+AES-256-CBC:+AES-128-CBC<::>m4_dnl
-:+SHA256<::>m4_dnl
+:+SHA256:+SHA384:+SHA512:+SHA1<::>m4_dnl
 :+SIGN-RSA-SHA512:+SIGN-RSA-SHA384:+SIGN-RSA-SHA256:+SIGN-DSA-SHA256<::>m4_dnl
 :+CTYPE-X.509<::>m4_dnl
 :+COMP-NULL<::>m4_dnl
diff --git a/exchange.m4 b/exchange.m4
index 00f0b05..ee27e3c 100644
--- a/exchange.m4
+++ b/exchange.m4
@@ -31,7 +31,7 @@ SECTION(global, tls)m4_dnl
 tls_certificate = CONF_sysconf_dir/server.cert
 tls_privatekey = CONF_sysconf_dir/server.key
 tls_advertise_hosts = *
-tls_dhparam = CONF_ca_dir/dh-param.pem
+tls_dhparam = CONF_ca_dir/dh-param-2048.pem
 tls_require_ciphers = ${if or {{={$received_port}{CONF_submission_port}} \
 			       {match_ip {$sender_host_address}{+trusted}}} \
 			   {CONF_good_ciphers} \