[Cryptography] Apple requires 2048 bits for email DH, breaks connection to many providers

Jeremy Stanley fungi at yuggoth.org
Fri Jul 10 20:42:44 EDT 2015

On 2015-07-10 06:46:37 -0400 (-0400), Jerry Leichter wrote:
> The latest releases of MacOS and iOS won't accept small DH groups
> when setting up SSL connections.

Apple's not alone. I became aware of the same thing this week with
some Outlook users no longer able to connect to a Courier IMAP
server I help maintain. Seems it began with the May monthly updates
to Windows 8.1 but will likely spread to older supported versions of
Windows soonish. The solution, unsurprisingly, was to adjust the
mkdhparams defaults and regenerate dhparams.pem on the mailserver.

There's some indication that Thunderbird 38.0.1 has done this too.
In the case of MS and Moz minimums were apparently only bumped to
1024 not 2048 so carnage may not be quite so widespread for them;
pretty sure this is just all the vendors reacting to Logjam.


Jeremy Stanley

More information about the cryptography mailing list