diff options
| author | Phil Pennock <pdp@exim.org> | 2012-05-16 12:15:26 -0400 |
|---|---|---|
| committer | Phil Pennock <pdp@exim.org> | 2012-05-16 12:15:26 -0400 |
| commit | 17c761988f30054827a9951761d93ffeeaad0cb7 (patch) | |
| tree | 10d8b048f0c7059c28a2ad5e4257a19e46d47267 /doc/doc-txt/NewStuff | |
| parent | f675bf30a2ce6242cfc7c3e3997ec5d68a1fca7a (diff) | |
Overhaul of GnuTLS code.
GnuTLS code re-done, using cut&paste for preservation where appropriate.
Stop using deprecated APIs. Stop hard-coding lists of ciphers.
Use gnutls_priority_init() instead.
Turns tls_require_ciphers into a string in the GnuTLS case, not just
OpenSSL case.
Deprecate three gnutls_require_* options; now ignored but not errors.
(No warnings yet).
Added TLS SNI support.
Made the channel binding integration theoretically actually work. I had
it guarded by an #ifdef but the value used was an enum instead. Oops.
Fixed.
New code much more amenable to future work permitting TLS in callouts.
DH param sizes now chosen by GnuTLS maintainers, we use "normal"; that's
suddenly a lot more bits, so the saved filename was changed too.
(GNUTLS_SEC_PARAM_NORMAL).
DH param setup only done for servers now, since clients don't need/use
it.
GnuTLS a lot more robust to library negotiation using stuff we don't
support, error-ing out quickly for other authentication systems (PGP,
etc).
Renamed pseudo_random_number() to vaguely_random_number() which makes
the nature clearer.
GnuTLS now provides a vaguely_random_number() implementation, to match
OpenSSL.
Pull in <inttypes.h> to make the recent arithmetic changes compile on
MacOS.
Nuke test 2011 which related to the gnutls_require_* options now
non-functional.
Diffstat (limited to 'doc/doc-txt/NewStuff')
| -rw-r--r-- | doc/doc-txt/NewStuff | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index ad173041f..57102958a 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -57,8 +57,6 @@ Version 4.78 A new log_selector, +tls_sni, has been added, to log received SNI values for Exim as a server. - Currently OpenSSL only. - 8. The existing "accept_8bitmime" option now defaults to true. This means that Exim is deliberately not strictly RFC compliant. We're following Dan Bernstein's advice in http://cr.yp.to/smtp/8bitmime.html by default. @@ -74,6 +72,14 @@ Version 4.78 10. ${eval } now uses 64-bit values on supporting platforms. A new "G" suffux for numbers indicates multiplication by 1024^3. +11. The GnuTLS support has been revamped; the three options gnutls_require_kx, + gnutls_require_mac & gnutls_require_protocols are no longer supported. + tls_require_ciphers is now parsed by gnutls_priority_init(3) as a priority + string, documentation for which is at: + http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html + + SNI support has been added to Exim's GnuTLS integration too. + Version 4.77 ------------ |