Remove weak elliptic curves from Exim

00_exim_gnutls.conf

## remove ECDHE support for curves less under 256 bits
tls_require_ciphers = ${if =={$received_port}{25}{NORMAL:%COMPAT:%SERVER_PRECEDENCE:-CURVE-SECP192R1:-CURVE-SECP224R1}{PFS:-DHE-RSA:-3DES-CBC:-CURVE-SECP192R1:-CURVE-SECP224R1}}

I was asked to remove elliptic curves under 256 bits from an Exim installation built with GnuTLS. I'm not knowledgeable enough to advise how urgent the need for removing these curves are. They are still recommended for interoperability by RFC 5480 (from 2009). ECC 192 is in the LEGACY profile, and ECC 224 is in the MEDIUM profile (equivalent to 2048 bit RSA, see GnTLS: Selecting cryptographic key sizes).

For maximum compatibility for port 25 delivery we use the NORMAL keyword (see the gnutls manual) and disable the curves using "-CURVE-curveid"

We determine which curves to disable by listing them, and removing the ones with numbers less than 256 in the name.

$ gnutls-cli -v | head -1
gnutls-cli 3.4.10
$ gnutls-cli -l | grep curves
Elliptic curves: CURVE-SECP192R1, CURVE-SECP224R1, CURVE-SECP256R1, CURVE-SECP384R1, CURVE-SECP521R1