Added tls_dh_max_bits & check tls_require_ciphers early.

[exim.git] / src / src / globals.c

diff --git a/src/src/globals.c b/src/src/globals.c
index e6966760936c7438ffd5de513d74221d5be1bf1e..824175fab72fcd28666af0f1eec449463f6ea453 100644 (file)
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -111,6 +111,10 @@ const pcre *regex_STARTTLS     = NULL;
 uschar *tls_advertise_hosts    = NULL;    /* This is deliberate */
 uschar *tls_certificate        = NULL;
 uschar *tls_crl                = NULL;
+/* This default matches NSS DH_MAX_P_BITS value at current time (2012), because
+that's the interop problem which has been observed: GnuTLS suggesting a higher
+bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */
+int     tls_dh_max_bits        = 2236;
 uschar *tls_dhparam            = NULL;
 #if defined(EXPERIMENTAL_OCSP) && !defined(USE_GNUTLS)
 uschar *tls_ocsp_file          = NULL;