diff options
| author | Phil Pennock <pdp@exim.org> | 2016-05-29 02:31:18 -0400 |
|---|---|---|
| committer | Phil Pennock <pdp@exim.org> | 2016-10-08 19:23:37 -0400 |
| commit | 317e40ac8b1b816f4a22620a5647c6258de61598 (patch) | |
| tree | 46f3796e23ecca09e0992b1a25eadaf8d062a466 /doc | |
| parent | ae5afa61184b6c9b39f58804032b32b42e3ba44e (diff) | |
DH parameters update, new values & defaultexim-4_88_RC2
* Add three new Exim-specific DH parameter constants; state provenance,
but no way for others to verify; this is a signed commit, which is
about as much as we can do for the truly paranoid: provide an audit
trail.
* Add the RFC 7919 DH primes
+ No TLS feature negotiation, per 7919, but the DH primes can be used
if folks so choose
* Fixed broken format string in util/gen_pkcs3.c
* Tried to make gen_pkcs3.c support q values.
+ Turns out, q doesn't affect the PEM and that's not a mistake in my
initialisation; I've checked with a cryptographer, we're losing some
server-side optimizations but not any security properties for our
scenario.
Fixes: 1895
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 38 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 3 | ||||
| -rw-r--r-- | doc/doc-txt/NewStuff | 2 |
3 files changed, 36 insertions, 7 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index b3f97e1ea..7608dc680 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17034,7 +17034,15 @@ larger prime than requested. The value of this option is expanded and indicates the source of DH parameters to be used by Exim. -If it is a filename starting with a &`/`&, then it names a file from which DH +.new +&*Note: The Exim Maintainers strongly recommend using a filename with site-generated +local DH parameters*&, which has been supported across all versions of Exim. The +other specific constants available are a fallback so that even when +"unconfigured", Exim can offer Perfect Forward Secrecy in older ciphersuites in TLS. +.wen + +If &%tls_dhparam%& is a filename starting with a &`/`&, +then it names a file from which DH parameters should be loaded. If the file exists, it should hold a PEM-encoded PKCS#3 representation of the DH prime. If the file does not exist, for OpenSSL it is an error. For GnuTLS, Exim will attempt to create the file and @@ -17050,23 +17058,39 @@ Exim will attempt to load a file from inside the spool directory. If the file does not exist, Exim will attempt to create it. See section &<<SECTgnutlsparam>>& for further details. +.new If Exim is using OpenSSL and this option is empty or unset, then Exim will load -a default DH prime; the default is the 2048 bit prime described in section +a default DH prime; the default is Exim-specific but lacks verifiable provenance. + +In older versions of Exim the default was the 2048 bit prime described in section 2.2 of RFC 5114, "2048-bit MODP Group with 224-bit Prime Order Subgroup", which in IKE is assigned number 23. Otherwise, the option must expand to the name used by Exim for any of a number -of DH primes specified in RFC 2409, RFC 3526 and RFC 5114. As names, Exim uses -"ike" followed by the number used by IKE, or "default" which corresponds to -"ike23". +of DH primes specified in RFC 2409, RFC 3526, RFC 5114, RFC 7919, or from other +sources. As names, Exim uses a standard specified name, else "ike" followed by +the number used by IKE, or "default" which corresponds to +&`exim.dev.20160529.3`&. -The available primes are: +The available standard primes are: +&`ffdhe2048`&, &`ffdhe3072`&, &`ffdhe4096`&, &`ffdhe6144`&, &`ffdhe8192`&, &`ike1`&, &`ike2`&, &`ike5`&, &`ike14`&, &`ike15`&, &`ike16`&, &`ike17`&, &`ike18`&, -&`ike22`&, &`ike23`& (aka &`default`&) and &`ike24`&. +&`ike22`&, &`ike23`& and &`ike24`&. + +The available additional primes are: +&`exim.dev.20160529.1`&, &`exim.dev.20160529.2`& and &`exim.dev.20160529.3`&. Some of these will be too small to be accepted by clients. Some may be too large to be accepted by clients. +The open cryptographic community has suspicions about the integrity of some +of the later IKE values, which led into RFC7919 providing new fixed constants +(the "ffdhe" identifiers). + +At this point, all of the "ike" values should be considered obsolete; +they're still in Exim to avoid breaking unusual configurations, but are +candidates for removal the next time we have backwards-incompatible changes. +.wen The TLS protocol does not negotiate an acceptable size for this; clients tend to hard-drop connections if what is offered by the server is unacceptable, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 80ea2105d..c68e45ce8 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -114,6 +114,9 @@ JH/29 Fix the connection_reject log selector to apply to the connect ACL. JH/30 Bug 1897: fix callouts connection fallback from TLS to cleartext. +PP/01 Changed default Diffie-Hellman parameters to be Exim-specific, created + by me. Added RFC7919 DH primes as an alternative. + Exim version 4.87 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index d99b8e0a6..2e060cce2 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -49,6 +49,8 @@ Version 4.88 returns from the target back to the initiator, rather than spooling the message. +13. New built-in constants available for tls_dhparam and default changed. + Version 4.87 ------------ |