On Sun, Sep 01, 2013 at 11:11:12PM +0000, Viktor Dukhovni wrote:
> This problem has just now been reported for the first time, perhaps
> because someone updated GnuTLS to a recent version that exhibits
> this behaviour. I think the right place for the fix is in GnuTLS
> or applications that use it.
According to:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676563
it seems recent Exim versions have code to lower the client-side
DH_BITS to 1024. If Peer Heinlein would be kind enough to post
the Exim version that exhibits the problem and any relevant settings,
that would help narrow down the problem.
I ran "openssl dhparam 1024" 20 times, each time the high-bit of
the 1024-bit prime was set, so it seems that OpenSSL does not
generate 1024-bit DH groups that have slightly shorter primes. So
if the Exim client is configured to accept 1024-bit DH groups it
should work. If it is only willing to do 2048-bits, it will fail
with most non-Exim TLS servers.
--
Viktor.
