TLS: Deprecate RFC 5114 DH params. Bug 1895

2 files changed, 12 insertions, 1 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index b20d82311..00f0dac02 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -18481,8 +18481,17 @@ of the later IKE values, which led into RFC7919 providing new fixed constants
 (the "ffdhe" identifiers).
 
 At this point, all of the "ike" values should be considered obsolete;
-they're still in Exim to avoid breaking unusual configurations, but are
+they are still in Exim to avoid breaking unusual configurations, but are
 candidates for removal the next time we have backwards-incompatible changes.
+.new
+Two of them in particular (&`ike1`& and &`ike22`&) are called out by RFC 8247
+as MUST NOT use for IPSEC, and two more (&`ike23`& and &`ike24`&) as
+SHOULD NOT.
+Because of this, Exim regards them as deprecated; if either of the first pair
+are used, warnings will be logged in the paniclog, and if any are used then
+warnings will be logged in the mainlog.
+All four will be removed in a future Exim release.
+.wen
 
 The TLS protocol does not negotiate an acceptable size for this; clients tend
 to hard-drop connections if what is offered by the server is unacceptable,
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index b155e6b9d..e7c7085f8 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -63,6 +63,8 @@ JH/13 Bug 2845: Fix handling of tls_require_ciphers for OpenSSL when a value
       in 4.95 trapped when normalisation was applied to an option not needing
       expansion action.
 
+JH/14 Bug 1895: TLS: Deprecate RFC 5114 Diffie-Hellman parameters.
+
 
 Exim version 4.95
 -----------------