On Tue, Sep 03, 2013 at 12:41:46PM -0700, Phil Pennock wrote:
> Okay, I have identified the root cause. The systems that need to be
> placated are older Debian installs, and the method should be broadly
> compatible.
>
> Debian used to patch, in their build system, the value passed to
> gnutls_dh_set_prime_bits() from 1024 to 2048. This is the value of the
> size of the DH parameters which is the "minimum considered acceptable".
> So Debian broke interop with "66_enlarge-dh-parameters-size.dpatch".
Thanks, this is very useful. So the Postfix work-around for servers
that want to receive email over TLS from the broken Debian systems is:
# cd /etc/postfix
# openssl dhparam -out dh2048.pem 2048
# postconf -e 'smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem'
If your openssl(1) version is 1.0.0 or higher, your server may
perform faster if you generate DSA-style parameters:
# openssl dhparam -dsaparam -out dh2048.pem 2048
The "smtpd_tls_dh1024_param_file" is in effect the DH parameter
set for all non-export cipher-suites. It is OK to use a 2048-bit
prime group in this context, provided the CPU cost is acceptable
(generally TLS handshake CPU cost is not on the critical path for
SMTP throughput) and no SMTP clients choke on the larger DH prime.
No changes should be necessary for the default Postfix EECDH curve,
it is strong enough to meet the default lower bounds for GnuTLS,
and Debian likely did not patch this value (in GnuTLS rather than Exim).
Only the "Ultra" priority String in GnuTLS requires EC curves with
more than 256-bits:
{
"Ultra", /* Name */
GNUTLS_SEC_PARAM_ULTRA, /* Enum */
256, /* Symmetric bits */
15424, /* RSA/EDH modulus bits */
3072, /* DSA bits */
512, /* subgroup bits */
512 /* EC bits */
},
We can reasonably assume that no MTA is configured to use the
"Ultra" security level as a default for all Internet destinations.
--
Viktor.
