[exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS
https://bugs.exim.org/show_bug.cgi?id=2822 --- Comment #12 from Ferry --- Hi, seems GnuTLS will make some changes in an upcoming release. https://gitlab.com/gnutls/gnutls/-/issues/1077#note_756103636 Not sure what that should mean for Exim however. The code might need to consider what GnuTLS version is used. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS
https://bugs.exim.org/show_bug.cgi?id=2822 Jeremy Harris changed: What|Removed |Added Resolution|--- |FIXED Status|WAIT_FIX_CONFIRMATION |RESOLVED --- Comment #11 from Jeremy Harris --- Nobody commented on whether the reversion had the desired effect; closing as fixed on the assumption it does. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS
https://bugs.exim.org/show_bug.cgi?id=2822 --- Comment #10 from Simon Arlott --- (In reply to Jeremy Harris from comment #5) > (In reply to Ferry from comment #4) > > According to the responses there either: > > gnutls_certificate_set_dh_params or gnutls_certificate_set_known_dh_params > > should be called. > > For both of those the GnuTLS docs say > "This function is unnecessary and discouraged on GnuTLS 3.6.0 or >later. Since 3.6.0, DH parameters are negotiated following >RFC7919." > > We're doing what those docs say. It they are *wrong* then it's a bug > in GnuTLS, or in the GnuTLS docs. We'd like to know, but I see no project > acknowlegement of the issue in the Gitlab page you reference, or action. The comments on https://gitlab.com/gnutls/gnutls/-/issues/1077 by the GnuTLS project team indicate that if neither function is used then the client would have to indicate which DH parameters should be used. In the absence of that, Exim is going to have to call one of them. gnutls_certificate_set_known_dh_params() would be more appropriate than gnutls_certificate_set_dh_params() -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS
https://bugs.exim.org/show_bug.cgi?id=2822 Jeremy Harris changed: What|Removed |Added Status|ASSIGNED|WAIT_FIX_CONFIRMATION --- Comment #9 from Jeremy Harris --- No responses seen on the gnutls-help mailing list, hence the above revert. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS
https://bugs.exim.org/show_bug.cgi?id=2822 Git Commit changed: What|Removed |Added CC||g...@exim.org --- Comment #8 from Git Commit --- Git commit: https://git.exim.org/exim.git/commitdiff/6db92eab5917e515c83fd773dad677a0207f commit 6db92eab5917e515c83fd773dad677a0207f Author: Jeremy Harris AuthorDate: Sat Nov 6 20:56:05 2021 + Commit: Jeremy Harris CommitDate: Sat Nov 6 20:56:05 2021 + revert "gnutls: lose dh-param setup, for recent library versions where no longer needed". bug 2822 it seems the documentation lies and the params really are needed. this reverts commits 041bf37266, 49132a3bb5c6 doc/doc-docbook/spec.xfpt | 7 +-- src/src/tls-gnu.c | 34 ++ 2 files changed, 15 insertions(+), 26 deletions(-) -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS
https://bugs.exim.org/show_bug.cgi?id=2822 --- Comment #7 from Jeremy Harris --- Raised the issue on gnutls-h...@lists.gnutls.org If we're lucky they'll take action one way or the other. If they stay silent, we will need to assume that the docs are incorrect rather than the library, and revert 49132a3bb5. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS
https://bugs.exim.org/show_bug.cgi?id=2822 --- Comment #6 from Ferry --- Until they fix it, it might be wise to set the dhparams, load the referenced ones from RFC7919 or not ignoring tls_dhparam. Without it, it's broken. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS
https://bugs.exim.org/show_bug.cgi?id=2822 Jeremy Harris changed: What|Removed |Added See Also||http://bugs.debian.org/9681 ||45 --- Comment #5 from Jeremy Harris --- (In reply to Ferry from comment #4) > According to the responses there either: > gnutls_certificate_set_dh_params or gnutls_certificate_set_known_dh_params > should be called. For both of those the GnuTLS docs say "This function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since 3.6.0, DH parameters are negotiated following RFC7919." We're doing what those docs say. It they are *wrong* then it's a bug in GnuTLS, or in the GnuTLS docs. We'd like to know, but I see no project acknowlegement of the issue in the Gitlab page you reference, or action. > If someone would set tls_dhparam [...] or the > option should be removed. If we did that someone would raise it as a bug. We can't win. We do document that is is ignored, in the main-section options chapter. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS
https://bugs.exim.org/show_bug.cgi?id=2822 --- Comment #4 from Ferry --- Hi, GnuTLS matrix channel referred to: https://gitlab.com/gnutls/gnutls/-/issues/1077 According to the responses there either: gnutls_certificate_set_dh_params or gnutls_certificate_set_known_dh_params should be called. I presume the latter isn't called either, since in our setup tls_dhparam points to a 4096 dhparam set (file in PEM format). -- Not really versed at this level, but there are known parameters referencing the mentioned RFC7919. For example here: https://git.furworks.de/opensourcemirror/opnsense-core/commit/79bf33a1cad1f6c7ca74d47d47bcc25f70cfea4d - since the RFC more or less states these are secure and there being no known advantages (but do reference some disadvantages) versus random, why not include these? If someone would set tls_dhparam I personally think those should be used or the option should be removed. Don't have a preference - it's just that they don't seem to do anything currently (at least, would have expected DHE to work if they were loaded seems the issue seems to stem from there being no dhparams in the stack). Mozilla seems to be using the same, although they only seem to offer the 2048 & 4096 variants here: https://ssl-config.mozilla.org/ffdhe2048.txt https://ssl-config.mozilla.org/ffdhe4096.txt Which they reference (depening on the config) in their SSL/TLS config generator here https://ssl-config.mozilla.org/ (the strong/modern variants only include ECDHE but (some) lower ones on some have comments fetching them with curl). -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 2822] DHE ciphers missing, under GnuTLS
https://bugs.exim.org/show_bug.cgi?id=2822 Jeremy Harris changed: What|Removed |Added Component|Exigrep |TLS Summary|Issues with DHE ciphers - |DHE ciphers missing, under |problems with GnuTLS|GnuTLS |implementation? | Status|NEW |ASSIGNED Version|4.94|4.93 Hardware|x86 |All Target Milestone|Indeterminate |Exim 4.96 --- Comment #3 from Jeremy Harris --- Bisection traces to 49132a3bb5 - where we stopped calling gnutls_certificate_set_dh_params(). This will affect 4.93 onward, for versions of GnuTLS 3.6.0 and later. GnuTLS docs (https://www.gnutls.org/manual/html_node/Parameter-generation.html) say "it's obsolete, no longer needed, do not call". We are trying to get clarification from the GnuTLS project. -- You are receiving this mail because: You are on the CC list for the bug. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
