On 2024-08-09 at 10:17:14, Matěj Cepl wrote: > When using git send-email sending to very ancient SMTP server > (postfix 2.6.6 on CentOS 6), I get this error: > > STARTTLS failed! SSL connect attempt failed error:0A00018A:SSL routines::dh key too small at /usr/libexec/git/git-send-email line 1638. This probably means that the DH key is insecure, so sending mail to this server with TLS probably won't provide sufficient security. You may want to reconsider using this mail server, especially since it hasn't had security updates for well over 3.5 years. If you're using level 2, then the requirement is the equivalent of 112 bits of security, which is still inadequate by today's standards (which suggest 128 bits of security, or level 3). Level 1 is 80 bits, which is probably attackable by government agencies. > When looking what seems like a similar error at > https://github.com/symfony/symfony/issues/44393 it seems I need > to set `security_level` (whatever it is) to 1. Is it possible > to do it just with configuration of git or do I need to patch > something somewhere? What you're looking for is an OpenSSL configuration on your system. On my Debian system, the configuration file is in `/etc/ssl/openssl.cnf`. The steps for what you need to set are available at several different places online. https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level is an example you can use. I don't believe that Git provides a set of TLS configuration options for `git send-email`, but if it did, you could control the configuration by specifying cipher suites as `DEFAULT@SECLEVEL=1`. You might, but probably would not, need to configure the minimum protocol to something lower as well. I believe CentOS 6 does support TLS 1.2, so that should be a fine default and shouldn't need to be modified. -- brian m. carlson (they/them or he/him) Toronto, Ontario, CA
Attachment:
signature.asc
Description: PGP signature
