Ubuntu
exim4 package

exim tls fails: minimum Diffie-Hellman prime not configurable

Bug #1039043 reported by Krzysztof
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
exim4 (Debian)
Fix Released
Unknown
exim4 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Hello,

This is upstream bug, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684340 and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=676563

Exim fails to send email with this message in log: "The Diffie-Hellman prime sent by the server is not acceptable (not long enough).". This is caused by patch 66_enlarge-dh-parameters-size.dpatch in source package exim (one that you can download with 'apt-get source exim4'). This was fixed in Debian by making DH_BITS value configurable.

$ lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04

$ apt-cache policy exim4
exim4:
  Installed: 4.74-1ubuntu1.2
  Candidate: 4.74-1ubuntu1.2
  Version table:
 *** 4.74-1ubuntu1.2 0
        500 http://mirror.ovh.net/ftp.ubuntu.com/ubuntu/ natty-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu/ natty-security/main amd64 Packages
        100 /var/lib/dpkg/status
     4.74-1ubuntu1 0
        500 http://mirror.ovh.net/ftp.ubuntu.com/ubuntu/ natty/main amd64 Packages

What i excepted to happen: exim should deliver message if remote server is using weak encryption and exim is configured to accept weak encryption

What happened instead: exim refused to deliver message, there is no option to make exim accept weak encryption. Message cannot be delivered without messing with exim sources.

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

According to the Debian bug report, this issue was fixed in Debian exim4 4.80-3. The Ubuntu development version is already on 4.80-3ubuntu1 so I presume that this issue is already fixed in the latest Ubuntu development release. As such, I'm marking this bug as Fix Released. If you find this is not the case then please explain and set the bug status back to New.

I appreciate that you may want the fix in 11.04. For this to happen the bug first needs to qualify under the stable update release criteria, which is documented in https://wiki.ubuntu.com/StableReleaseUpdates. I'm not sure that this bug qualifies according to the criteria listed there, so I won't nominate this bug to be fixed for prior stable releases right now. A backport may be more appropriate. But I'm open to hear other views on this. Note that I am not an authority here - it is the SRU team who would make a final decision.

Changed in exim4 (Ubuntu):
status: New → Fix Released
summary: - exim tls fails: Diffie-Hellman prime too short
+ exim tls fails: minimum Diffie-Hellman prime not configurable
Revision history for this message
Krzysztof (kwarzecha7) wrote :

Hello,

Thank you for explanation, I wasn't sure how bugs like this are handled. I don't think it meets criteria from StableReleaseUpdates.

I worked this around (just one mail so far in my case), so it no longer affects me. I think it will be easier (for others that may encounter this bug) to use backport.

Bug Watch Updater (bug-watch-updater)
Changed in exim4 (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.