Nick Guerette
2015-07-20 19:18:00 UTC
Not about exim, but likely of critical interest to many running a debian
mail server: libnss 3.19.1 does not accept Diffie-Hellman keys smaller
than 1024 bits, and in its default configuration on Jessie the common
courier-imap server uses a 768-bit key. This means the latest release
of Mozilla Thunderbird will fail to make secure IMAP connections.
The solution is to change the default key size in the
/usr/sbin/mkdhparams script from 768 to 2048 and run it. If
/etc/courier/dhparams.pem was created less than 25 days ago, the script
will not update it, so you must first use touch -d to make it older, or
stop courier and delete dhparams.pem if your operational needs allow.
The bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787579
The justification for this breakage in a minor version release:
https://weakdh.org/
Nick Guerette
Embedded Systems Engineer
Mosaic Industries, Inc.
510-790-8222
http://mosaic-industries.com/embedded-systems
mail server: libnss 3.19.1 does not accept Diffie-Hellman keys smaller
than 1024 bits, and in its default configuration on Jessie the common
courier-imap server uses a 768-bit key. This means the latest release
of Mozilla Thunderbird will fail to make secure IMAP connections.
The solution is to change the default key size in the
/usr/sbin/mkdhparams script from 768 to 2048 and run it. If
/etc/courier/dhparams.pem was created less than 25 days ago, the script
will not update it, so you must first use touch -d to make it older, or
stop courier and delete dhparams.pem if your operational needs allow.
The bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787579
The justification for this breakage in a minor version release:
https://weakdh.org/
Nick Guerette
Embedded Systems Engineer
Mosaic Industries, Inc.
510-790-8222
http://mosaic-industries.com/embedded-systems