summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2016-05-17 21:42:35 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2016-05-17 21:42:35 +0100
commit20b9a2dc027844f7288508d0f81df815110e4e69 (patch)
treefcbd6d535a54da2eff90dbd480787b7f4d07d56d
parentc3f2eb9a7d99f12fb5b20d88e9bc18a0aa016d64 (diff)
TLS: retire obsolete options gnutls_require_{kx,mac,proto)
-rw-r--r--doc/doc-txt/ChangeLog3
-rw-r--r--src/src/globals.c3
-rw-r--r--src/src/globals.h3
-rw-r--r--src/src/readconf.c10
-rw-r--r--src/src/transports/smtp.c23
-rw-r--r--src/src/transports/smtp.h3
6 files changed, 3 insertions, 42 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 3bf6fc908..f5e9b8dea 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -29,6 +29,9 @@ JH/05 If main configuration option tls_certificate is unset, generate a
JH/06 Bug 165: hide more cases of password exposure - this time in expansions
in rewrites and routers.
+JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80
+ and logged a warning sing 4.83; now they are a configuration file error.
+
Exim version 4.87
-----------------
diff --git a/src/src/globals.c b/src/src/globals.c
index 0586fdd98..e7a54c4b8 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -144,9 +144,6 @@ uschar *dsn_advertise_hosts = NULL;
#ifdef SUPPORT_TLS
BOOL gnutls_compat_mode = FALSE;
BOOL gnutls_allow_auto_pkcs11 = FALSE;
-uschar *gnutls_require_mac = NULL;
-uschar *gnutls_require_kx = NULL;
-uschar *gnutls_require_proto = NULL;
uschar *openssl_options = NULL;
const pcre *regex_STARTTLS = NULL;
uschar *tls_advertise_hosts = US"*";
diff --git a/src/src/globals.h b/src/src/globals.h
index 72bb13919..1caf8e8a9 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -108,9 +108,6 @@ extern tls_support tls_out;
#ifdef SUPPORT_TLS
extern BOOL gnutls_compat_mode; /* Less security, more compatibility */
extern BOOL gnutls_allow_auto_pkcs11; /* Let GnuTLS autoload PKCS11 modules */
-extern uschar *gnutls_require_mac; /* So some can be avoided */
-extern uschar *gnutls_require_kx; /* So some can be avoided */
-extern uschar *gnutls_require_proto; /* So some can be avoided */
extern uschar *openssl_options; /* OpenSSL compatibility options */
extern const pcre *regex_STARTTLS; /* For recognizing STARTTLS settings */
extern uschar *tls_certificate; /* Certificate file */
diff --git a/src/src/readconf.c b/src/src/readconf.c
index 375f01a1a..f4a9b2d23 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -271,11 +271,6 @@ static optionlist optionlist_config[] = {
#ifdef SUPPORT_TLS
{ "gnutls_allow_auto_pkcs11", opt_bool, &gnutls_allow_auto_pkcs11 },
{ "gnutls_compat_mode", opt_bool, &gnutls_compat_mode },
- /* These three gnutls_require_* options stopped working in Exim 4.80 */
- /* From 4.83 we log a warning; a future relase will remove them */
- { "gnutls_require_kx", opt_stringptr, &gnutls_require_kx },
- { "gnutls_require_mac", opt_stringptr, &gnutls_require_mac },
- { "gnutls_require_protocols", opt_stringptr, &gnutls_require_proto },
#endif
{ "header_line_maxsize", opt_int, &header_line_maxsize },
{ "header_maxsize", opt_int, &header_maxsize },
@@ -3497,11 +3492,6 @@ if (openssl_options != NULL)
"openssl_options parse error: %s", openssl_options);
# endif
}
-
-if (!nowarn && (gnutls_require_kx || gnutls_require_mac || gnutls_require_proto))
- log_write(0, LOG_MAIN, "WARNING: main options"
- " gnutls_require_kx, gnutls_require_mac and gnutls_require_protocols"
- " are obsolete\n");
#endif /*SUPPORT_TLS*/
if (!nowarn && !keep_environment && environ && *environ)
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index d295e8019..3a887c151 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -72,17 +72,6 @@ optionlist smtp_transport_options[] = {
(void *)offsetof(smtp_transport_options_block, final_timeout) },
{ "gethostbyname", opt_bool,
(void *)offsetof(smtp_transport_options_block, gethostbyname) },
-#ifdef SUPPORT_TLS
- /* These are no longer honoured, as of Exim 4.80; for now, we silently
- ignore; 4.83 will warn, and a later-still release will remove
- these options, so that using them becomes an error. */
- { "gnutls_require_kx", opt_stringptr,
- (void *)offsetof(smtp_transport_options_block, gnutls_require_kx) },
- { "gnutls_require_mac", opt_stringptr,
- (void *)offsetof(smtp_transport_options_block, gnutls_require_mac) },
- { "gnutls_require_protocols", opt_stringptr,
- (void *)offsetof(smtp_transport_options_block, gnutls_require_proto) },
-#endif
{ "helo_data", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, helo_data) },
{ "hosts", opt_stringptr,
@@ -257,9 +246,6 @@ smtp_transport_options_block smtp_transport_option_defaults = {
NULL, /* tls_crl */
NULL, /* tls_privatekey */
NULL, /* tls_require_ciphers */
- NULL, /* gnutls_require_kx */
- NULL, /* gnutls_require_mac */
- NULL, /* gnutls_require_proto */
NULL, /* tls_sni */
US"system", /* tls_verify_certificates */
EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
@@ -411,15 +397,6 @@ if (ob->hosts_override && ob->hosts != NULL) tblock->overrides_hosts = TRUE;
for them, but do not do any lookups at this time. */
host_build_hostlist(&(ob->fallback_hostlist), ob->fallback_hosts, FALSE);
-
-#ifdef SUPPORT_TLS
-if ( ob->gnutls_require_kx
- || ob->gnutls_require_mac
- || ob->gnutls_require_proto)
- log_write(0, LOG_MAIN, "WARNING: smtp transport options"
- " gnutls_require_kx, gnutls_require_mac and gnutls_require_protocols"
- " are obsolete\n");
-#endif
}
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index 07b601a96..8583ab468 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -67,9 +67,6 @@ typedef struct {
uschar *tls_crl;
uschar *tls_privatekey;
uschar *tls_require_ciphers;
- uschar *gnutls_require_kx;
- uschar *gnutls_require_mac;
- uschar *gnutls_require_proto;
uschar *tls_sni;
uschar *tls_verify_certificates;
int tls_dh_min_bits;