diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-11-05 17:31:34 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-11-05 17:31:34 +0000 |
| commit | f6da88972f6404c77bc873873de5f298399cce5b (patch) | |
| tree | d7b9ac3d7d95e8594ca3781e0aa1a5d7a4308328 /doc/doc-docbook/spec.xfpt | |
| parent | aaedd1b5d134fcdc97e67cbe4a389041f0adeb58 (diff) | |
Add doc examples for disabling SSLv3
Diffstat (limited to 'doc/doc-docbook/spec.xfpt')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 534e1b8f3..20bfb406c 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -15062,16 +15062,21 @@ yourself in the foot in various unpleasant ways. This option should not be adjusted lightly. An unrecognised item will be detected at startup, by invoking Exim with the &%-bV%& flag. +The option affects Exim operating both as a server and as a client. + Historical note: prior to release 4.80, Exim defaulted this value to "+dont_insert_empty_fragments", which may still be needed for compatibility with some clients, but which lowers security by increasing exposure to some now infamous attacks. -An example: +Examples: .code # Make both old MS and old Eudora happy: openssl_options = -all +microsoft_big_sslv3_buffer \ +dont_insert_empty_fragments + +# Disable older protocol versions: +openssl_options = +no_sslv2 +no_sslv3 .endd Possible options may include: @@ -26131,7 +26136,8 @@ The GnuTLS library allows the caller to provide a "priority string", documented as part of the &[gnutls_priority_init]& function. This is very similar to the ciphersuite specification in OpenSSL. -The &%tls_require_ciphers%& option is treated as the GnuTLS priority string. +The &%tls_require_ciphers%& option is treated as the GnuTLS priority string +and controls both protocols and ciphers. The &%tls_require_ciphers%& option is available both as an global option, controlling how Exim behaves as a server, and also as an option of the @@ -26148,6 +26154,12 @@ installed on your system. If you are using GnuTLS 3, &url(http://www.gnutls.org/manual/gnutls.html#Listing-the-ciphersuites-in-a-priority-string, then the example code) on that site can be used to test a given string. +For example: +.code +# Disable older versions of protocols +tls_require_ciphers = NORMAL:%LATEST_RECORD_VERSION:-VERS-SSL3.0 +.endd + Prior to Exim 4.80, an older API of GnuTLS was used, and Exim supported three additional options, "&%gnutls_require_kx%&", "&%gnutls_require_mac%&" and "&%gnutls_require_protocols%&". &%tls_require_ciphers%& was an Exim list. |