For DH, use standard primes from RFCs

author: Phil Pennock <pdp@exim.org> 2012-05-27 09:14:39 -0400
committer: Phil Pennock <pdp@exim.org> 2012-05-27 09:14:39 -0400
commit: a799883d8ad340d935db4d729a31c02cb8a1d977 (patch)
tree: 3ceb2a5d711c3430aba48a47cfed59c73d6ddda9 /src/README.UPDATING
parent: cae6e576b589efbe9e22cd65e5f890b21ce84f02 (diff)
download: exim4-a799883d8ad340d935db4d729a31c02cb8a1d977.tar.gz
1 files changed, 15 insertions, 0 deletions
diff --git a/src/README.UPDATING b/src/README.UPDATING
index a15bd418e..6a820bc7c 100644
--- a/src/README.UPDATING
+++ b/src/README.UPDATING
@@ -142,6 +142,21 @@ Exim version 4.80
    fail completely.  (The check is not done as root, to ensure that problems
    here are not made worse by the check).
 
+ * The "tls_dhparam" option has been updated, so that it can now specify a
+   path or an identifier for a standard DH prime from one of a few RFCs.
+   The default for OpenSSL is no longer to not use DH but instead to use
+   one of these standard primes.  The default for GnuTLS is no longer to use
+   a file in the spool directory, but to use that same standard prime.
+   The option is now used by GnuTLS too.  If it points to a path, then
+   GnuTLS will use that path, instead of a file in the spool directory;
+   GnuTLS will attempt to create it if it does not exist.
+
+   To preserve the previous behaviour of generating files in the spool
+   directory, set "tls_dhparam = historic".  Since prior releases of Exim
+   ignored tls_dhparam when using GnuTLS, this can safely be done before
+   the upgrade.
+
+
 
 Exim version 4.77
 -----------------
author	Phil Pennock <pdp@exim.org>	2012-05-27 09:14:39 -0400
committer	Phil Pennock <pdp@exim.org>	2012-05-27 09:14:39 -0400
commit	a799883d8ad340d935db4d729a31c02cb8a1d977 (patch)
tree	3ceb2a5d711c3430aba48a47cfed59c73d6ddda9 /src/README.UPDATING
parent	cae6e576b589efbe9e22cd65e5f890b21ce84f02 (diff)
download	exim4-a799883d8ad340d935db4d729a31c02cb8a1d977.tar.gz