On 12-Sep-2013, at 1:18, Florian Weimer <f...@deneb.enyo.de> wrote: > I suppose the simplest mitigation would be to avoid ephemeral > Diffie-Hellman key agreement altogether, that is, remove it from the > cipher suite default.
Dispensing with gnutls and using openssl like most other distros do would possibly make more sense, but that is a license war dating back to 2008 and still open on bts. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446036 and of course these http://blog.zugschlus.de/archives/585-exim4-vs.-OpenSSL-vs.-GnuTLS.html http://blog.josefsson.org/2007/11/09/response-to-gnutls-in-exim-debate/ > 512 bits DH probably allows passive attacks, so IMHO it's unsuitable > even if the peer's certificate isn't validated in some way (because > like strong DH, this still provides security against passive > eavesdroppers). It is a fig leaf but still better than transporting email en clair. --srs
