[Cryptography] Speaking of EDH (GnuTLS interoperability)
cryptography at dukhovni.org
Sun Sep 8 00:31:28 EDT 2013
Some of you may have seen my posts to postfix-users and openssl-users,
if so, apologies for the duplication.
The short version is that while everyone is busily implementing
EDH, they may run into some interoperability issues. GnuTLS clients
by default insist on a minimum EDH prime size that is not generally
interoperable (2432 bits). Since the TLS protocol only negotiates
the use of EDH, but not the prime size (the EDH parameters are
unilaterally announced by the server), this setting, while
cryptographically sound, is rather poor engineering.
The context in which this was discovered is also "amusing". Exim
uses GnuTLS and has a work-around to drop the DH prime floor to
1024-bits, which is interoperable in practice. Debian however
wanted to "improve" Exim to make it more secure, so the floor was
raised to 2048-bits in a Debian patch. As a result STARTTLS from
Debian's Exim (before sanity was restored in Exim 4.80-3 in Debian
wheezy, AFAIK it is still broken in Debian squeeze) fails with Postfix,
Sendmail, and other SMTP servers.
In all probability this "stronger" version of Exim then needlessly
sends mail without TLS, since with SMTP TLS is typically opportunistic,
and likely after TLS fails delivery is retried in the clear!
P.S. shameless off-topic plug: If you want better than opportunistic
TLS for email, consider adopting DNSSEC for your domains and
publishing TLSA RRs for your SMTP servers. Postfix supports DANE
as of 2.11-20130825. See
Make sure to publish either "IN TLSA 3 1 1" or "IN TLSA 2 1 1"
More information about the cryptography