summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-11-05 17:31:34 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2014-11-05 17:31:34 +0000
commitf6da88972f6404c77bc873873de5f298399cce5b (patch)
treed7b9ac3d7d95e8594ca3781e0aa1a5d7a4308328
parentaaedd1b5d134fcdc97e67cbe4a389041f0adeb58 (diff)
Add doc examples for disabling SSLv3
-rw-r--r--doc/doc-docbook/spec.xfpt16
1 files changed, 14 insertions, 2 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 534e1b8f3..20bfb406c 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -15062,16 +15062,21 @@ yourself in the foot in various unpleasant ways. This option should not be
adjusted lightly. An unrecognised item will be detected at startup, by
invoking Exim with the &%-bV%& flag.
+The option affects Exim operating both as a server and as a client.
+
Historical note: prior to release 4.80, Exim defaulted this value to
"+dont_insert_empty_fragments", which may still be needed for compatibility
with some clients, but which lowers security by increasing exposure to
some now infamous attacks.
-An example:
+Examples:
.code
# Make both old MS and old Eudora happy:
openssl_options = -all +microsoft_big_sslv3_buffer \
+dont_insert_empty_fragments
+
+# Disable older protocol versions:
+openssl_options = +no_sslv2 +no_sslv3
.endd
Possible options may include:
@@ -26131,7 +26136,8 @@ The GnuTLS library allows the caller to provide a "priority string", documented
as part of the &[gnutls_priority_init]& function. This is very similar to the
ciphersuite specification in OpenSSL.
-The &%tls_require_ciphers%& option is treated as the GnuTLS priority string.
+The &%tls_require_ciphers%& option is treated as the GnuTLS priority string
+and controls both protocols and ciphers.
The &%tls_require_ciphers%& option is available both as an global option,
controlling how Exim behaves as a server, and also as an option of the
@@ -26148,6 +26154,12 @@ installed on your system. If you are using GnuTLS 3,
&url(http://www.gnutls.org/manual/gnutls.html#Listing-the-ciphersuites-in-a-priority-string, then the example code)
on that site can be used to test a given string.
+For example:
+.code
+# Disable older versions of protocols
+tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0
+.endd
+
Prior to Exim 4.80, an older API of GnuTLS was used, and Exim supported three
additional options, "&%gnutls_require_kx%&", "&%gnutls_require_mac%&" and
"&%gnutls_require_protocols%&". &%tls_require_ciphers%& was an Exim list.