Add gnutls_enable_pkcs11 option.

GnuTLS 2.12.0 adds PKCS11 support using p11-kit and by default will
autoload modules, which interoperates badly with GNOME keyring
integration, configured via paths in environment variables, and Exim
invoked by the user (eg, mailq) will then try to load the modules, fail
and spew warnings from the module for a library loaded by a library.

http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs
documents that to prevent this, explicitly init PKCS11 before calling
gnutls_global_init().  So we do so, unless the admin sets the new
option.

Reported by Andreas Metzler, who confirmed that the added calls fixed
the problem for him.

1 files changed, 10 insertions, 0 deletions

diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 6d64faa00..c56256bdd 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -87,6 +87,16 @@ Version 4.81
  8. New expansion operators ${listnamed:name} to get the content of a named list
     and ${listcount:string} to count the items in a list.
 
+ 9. New global option "gnutls_enable_pkcs11", defaults false.  The GnuTLS
+    rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11
+    modules.  For some situations this is desirable, but we expect admin in
+    those situations to know they want the feature.  More commonly, it means
+    that GUI user modules get loaded and are broken by the setuid Exim being
+    unable to access files specified in environment variables and passed
+    through, thus breakage.  So we explicitly inhibit the PKCS11 initialisation
+    unless this new option is set.
+
+
 Version 4.80
 ------------