summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNigel Metheringham <nigel@exim.org>2009-10-16 09:51:12 +0000
committerNigel Metheringham <nigel@exim.org>2009-10-16 09:51:12 +0000
commite6060e2ce135caa2d48e682c4d76d071ff760a30 (patch)
tree9f2a2485226a71f2ac2f791de3bcb05730f96211
parent9e3331ea11585533603f7c1b1de5f28fb851d13b (diff)
gnutls_compat_mode to allow compatibility with broken clients. fixes: #665
-rw-r--r--doc/doc-docbook/spec.xfpt13
-rw-r--r--doc/doc-txt/ChangeLog5
-rw-r--r--src/src/globals.c3
-rw-r--r--src/src/globals.h3
-rw-r--r--src/src/readconf.c3
-rw-r--r--src/src/tls-gnu.c14
6 files changed, 35 insertions, 6 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index db8de0805..9541d6e06 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -1,4 +1,4 @@
-. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.58 2009/10/16 08:52:05 tom Exp $
+. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.59 2009/10/16 09:51:12 nm4 Exp $
.
. /////////////////////////////////////////////////////////////////////////////
. This is the primary source of the Exim Manual. It is an xfpt document that is
@@ -12368,6 +12368,7 @@ listed in more than one group.
.row &%gnutls_require_kx%& "control GnuTLS key exchanges"
.row &%gnutls_require_mac%& "control GnuTLS MAC algorithms"
.row &%gnutls_require_protocols%& "control GnuTLS protocols"
+.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_certificate%& "location of server certificate"
.row &%tls_crl%& "certificate revocation list"
@@ -13367,6 +13368,11 @@ server. For details, see section &<<SECTreqciphgnu>>&.
This option controls the protocols when GnuTLS is used in an Exim
server. For details, see section &<<SECTreqciphgnu>>&.
+.option gnutls_compat_mode main boolean unset
+This option controls whether GnuTLS is used in compatibility mode in an Exim
+server. This reduces security slightly, but improves interworking with older
+implementations of TLS.
+
.option headers_charset main string "see below"
This option sets a default character set for translating from encoded MIME
@@ -21467,6 +21473,11 @@ client. For details, see section &<<SECTreqciphgnu>>&.
This option controls the protocols when GnuTLS is used in an Exim
client. For details, see section &<<SECTreqciphgnu>>&.
+.option gnutls_compat_mode main boolean unset
+This option controls whether GnuTLS is used in compatibility mode in an Exim
+server. This reduces security slightly, but improves interworking with older
+implementations of TLS.
+
.option helo_data smtp string&!! "see below"
.cindex "HELO" "argument, setting"
.cindex "EHLO" "argument, setting"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e7db60003..6153e000b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.569 2009/10/14 14:48:41 nm4 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.570 2009/10/16 09:51:12 nm4 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -111,6 +111,9 @@ NM/19 Bugzilla 745: TLS version reporting
NM/20 Bugzilla 167: bool: condition support
Patch provided by Phil Pennock
+NM/21 Bugzilla 665: gnutls_compat_mode to allow compatibility with broken clients
+ Patch provided by Phil Pennock
+
Exim version 4.69
-----------------
diff --git a/src/src/globals.c b/src/src/globals.c
index 98e1da5d6..b40e8e9dc 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/globals.c,v 1.84 2009/10/15 08:27:37 tom Exp $ */
+/* $Cambridge: exim/src/src/globals.c,v 1.85 2009/10/16 09:51:12 nm4 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -111,6 +111,7 @@ uschar *tls_on_connect_ports = NULL;
uschar *tls_peerdn = NULL;
#ifdef SUPPORT_TLS
+BOOL gnutls_compat_mode = FALSE;
uschar *gnutls_require_mac = NULL;
uschar *gnutls_require_kx = NULL;
uschar *gnutls_require_proto = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index 04a030bab..a50d1b469 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/globals.h,v 1.65 2009/10/15 08:27:37 tom Exp $ */
+/* $Cambridge: exim/src/src/globals.h,v 1.66 2009/10/16 09:51:12 nm4 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -71,6 +71,7 @@ extern uschar *tls_on_connect_ports; /* Ports always tls-on-connect */
extern uschar *tls_peerdn; /* DN from peer */
#ifdef SUPPORT_TLS
+extern BOOL gnutls_compat_mode; /* Less security, more compatibility */
extern uschar *gnutls_require_mac; /* So some can be avoided */
extern uschar *gnutls_require_kx; /* So some can be avoided */
extern uschar *gnutls_require_proto; /* So some can be avoided */
diff --git a/src/src/readconf.c b/src/src/readconf.c
index 1651ecc6a..c836d37eb 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/readconf.c,v 1.37 2009/10/16 08:51:34 tom Exp $ */
+/* $Cambridge: exim/src/src/readconf.c,v 1.38 2009/10/16 09:51:12 nm4 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -235,6 +235,7 @@ static optionlist optionlist_config[] = {
{ "gecos_name", opt_stringptr, &gecos_name },
{ "gecos_pattern", opt_stringptr, &gecos_pattern },
#ifdef SUPPORT_TLS
+ { "gnutls_compat_mode", opt_bool, &gnutls_compat_mode },
{ "gnutls_require_kx", opt_stringptr, &gnutls_require_kx },
{ "gnutls_require_mac", opt_stringptr, &gnutls_require_mac },
{ "gnutls_require_protocols", opt_stringptr, &gnutls_require_proto },
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index c26a9bac6..0e90b7908 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/tls-gnu.c,v 1.22 2009/10/14 13:52:48 nm4 Exp $ */
+/* $Cambridge: exim/src/src/tls-gnu.c,v 1.23 2009/10/16 09:51:12 nm4 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -792,6 +792,18 @@ if (verify_requirement != VERIFY_NONE)
gnutls_db_set_cache_expiration(session, ssl_session_timeout);
+/* Reduce security in favour of increased compatibility, if the admin
+decides to make that trade-off. */
+if (gnutls_compat_mode)
+ {
+#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
+ DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
+ gnutls_session_enable_compatibility_mode(session);
+#else
+ DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
+#endif
+ }
+
DEBUG(D_tls) debug_printf("initialized GnuTLS session\n");
return session;
}