tls_dh_min_bits smtp transport option

Could not find an API for use with OpenSSL, so GnuTLS only
author: Phil Pennock <pdp@exim.org> 2012-06-01 05:52:31 -0400
committer: Phil Pennock <pdp@exim.org> 2012-06-01 05:52:31 -0400
commit: 54c90be16587ca315041c964e251f07fc2bcf0e9 (patch)
tree: 5ceb2487ddd6f8cf06f564e0da4deb0497430c1f /doc/doc-txt/NewStuff
parent: 12f6998964d44c0a40783162fc37eabe770f4382 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 5088a24c4..be8285b67 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -20,6 +20,17 @@ Version 4.81
     For instance, "exim -n -bP pid_file_path" should just emit a pathname
     followed by a newline, and no other text.
 
+ 3. When built with SUPPORT_TLS and USE_GNUTLS, the SMTP transport driver now
+    has a "tls_dh_min_bits" option, to set the minimum acceptable number of
+    bits in the Diffie-Hellman prime offered by a server (in DH ciphersuites)
+    acceptable for security.  (Option accepted but ignored if using OpenSSL).
+    Defaults to 1024, the old value.  May be lowered only to 512, or raised as
+    far as you like.  Raising this may hinder TLS interoperability with other
+    sites and is not currently recommended.  Lowering this will permit you to
+    establish a TLS session which is not as secure as you might like.
+
+    Unless you really know what you are doing, leave it alone.
+
 
 Version 4.80
 ------------
author	Phil Pennock <pdp@exim.org>	2012-06-01 05:52:31 -0400
committer	Phil Pennock <pdp@exim.org>	2012-06-01 05:52:31 -0400
commit	54c90be16587ca315041c964e251f07fc2bcf0e9 (patch)
tree	5ceb2487ddd6f8cf06f564e0da4deb0497430c1f /doc/doc-txt/NewStuff
parent	12f6998964d44c0a40783162fc37eabe770f4382 (diff)