DH parameters update, new values & defaultexim-4_88_RC2

* Add three new Exim-specific DH parameter constants; state provenance,
  but no way for others to verify; this is a signed commit, which is
  about as much as we can do for the truly paranoid: provide an audit
  trail.
* Add the RFC 7919 DH primes
  + No TLS feature negotiation, per 7919, but the DH primes can be used
    if folks so choose
* Fixed broken format string in util/gen_pkcs3.c
* Tried to make gen_pkcs3.c support q values.
  + Turns out, q doesn't affect the PEM and that's not a mistake in my
    initialisation; I've checked with a cryptographer, we're losing some
    server-side optimizations but not any security properties for our
    scenario.

Fixes: 1895

2 files changed, 5 insertions, 0 deletions

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 80ea2105d..c68e45ce8 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -114,6 +114,9 @@ JH/29 Fix the connection_reject log selector to apply to the connect ACL.
 
 JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext.
 
+PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created
+      by me.  Added RFC7919 DH primes as an alternative.
+
 
 Exim version 4.87
 -----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index d99b8e0a6..2e060cce2 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -49,6 +49,8 @@ Version 4.88
     returns from the target back to the initiator, rather than spooling the
     message.
 
+13. New built-in constants available for tls_dhparam and default changed.
+
 
 Version 4.87
 ------------