Hi, "Fundemap S.A. - Sergio Sánchez" <[email protected]> (Fr 01 Apr 2016 19:18:32 CEST): > Hi, > > i'm having tls errors like this: > TLS error on connection to mail.xxxx1.com.ar [ip] (gnutls_handshake): The > Diffie-Hellman prime sent by the server is not acceptable (not long enough). > TLS error on connection from mail.xxxx2.com.ar (nameserver) [ip] > (gnutls_handshake): A record packet with illegal version was received.
If I remember well, this was a problem that only occured on Debian systems. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684340 I think the problem is caused by a debian specific „enhancement“ of the GnutTLS libs. They require a certain minimum length of the DH prime. (In more detail and in my understanding, it may be completly wrong: Exim just uses GnuTLS/OpenSSL with defaults settings, and the default settings of GnuTLS were safe. But Debian maintainers decided to rise the minimum requirements in the GnuTLS runtime.) Often the other side (here in DE mostly big ISPs) doesn't follow that requirement and thus the connection falls back to non-TLS (if acceptable). > My config is: > exim4 -bV > Exim version 4.71 #1 built 01-Jan-2010 14:03:12 > Copyright (c) University of Cambridge, 1995 - 2007 .. > GnuTLS compile-time version: 2.8.5 > GnuTLS runtime version: 2.8.5 > Configuration file is /var/lib/exim4/config.autogenerated commit 3375e053c40dacf62a7eac02d52438a43398c053 Author: Phil Pennock <[email protected]> Date: Sun May 20 21:49:40 2012 -0400 Added tls_dh_max_bits & check tls_require_ciphers early. I'm not sure if it's enough to change the GnuTLS runtime. Exim has an option tls_dh_max_bits, I think, it was created to solve this problem. It's in the source since 4.80 RC2, so 4.80 should contain that option already. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} - gnupg encrypted messages are welcome --------------- key ID: F69376CE - ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
signature.asc
Description: Digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
