diff options
| author | Phil Pennock <pdp@exim.org> | 2012-05-20 21:49:40 -0400 |
|---|---|---|
| committer | Phil Pennock <pdp@exim.org> | 2012-05-20 21:49:40 -0400 |
| commit | 3375e053c40dacf62a7eac02d52438a43398c053 (patch) | |
| tree | 47d77126f289bf20d0068f5acdea4cbe382f92d8 /doc/doc-txt | |
| parent | 3bcbbbe2697819d248259b1938ffd52d2bf4090b (diff) | |
Added tls_dh_max_bits & check tls_require_ciphers early.
Janne Snabb tracked down the GnuTLS 2.12 vs NSS (Thunderbird) interop
problems to a hard-coded limit of 2236 bits for DH in NSS while GnuTLS
was suggesting 2432 bits as normal.
Added new global option tls_dh_max_bits to clamp all DH values (client
or server); unexpanded integer. Default value to 2236. Apply to both
GnuTLS and OpenSSL (which requires tls_dh_params for this).
Tired of debugging "SMTP fails TLS" error messages in mailing-lists
caused by OpenSSL library/include clashes, and of finding out I typo'd
in tls_require_ciphers only at the STARTTLS handshake. During readconf,
fork/drop-privs/initialise-TLS-library. In that, if tls_require_ciphers
is set, then validate it.
The validation child will panic if it can't initialise or if
tls_require_ciphers can't be parsed, else it exits 0. If the child
exits anything other than 0, the main Exim process will exit.
Diffstat (limited to 'doc/doc-txt')
| -rw-r--r-- | doc/doc-txt/ChangeLog | 8 | ||||
| -rw-r--r-- | doc/doc-txt/NewStuff | 4 |
2 files changed, 12 insertions, 0 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 3d0f5c255..9db1c3823 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -137,6 +137,14 @@ PP/31 %D in printf continues to cause issues (-Wformat=security), so for PP/32 GnuTLS was always using default tls_require_ciphers, due to a missing assignment on my part. Fixed. +PP/33 Added tls_dh_max_bits option, defaulting to current hard-coded limit + of NSS, for GnuTLS/NSS interop. Problem root cause diagnosis by + Janne Snabb (who went above and beyond: thank you). + +PP/34 Validate tls_require_ciphers on startup, since debugging an invalid + string otherwise requires a connection and a bunch more work and it's + relatively easy to get wrong. + Exim version 4.77 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 36b85d1ba..59994448f 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -96,6 +96,10 @@ Version 4.80 14. New expansion variable $tod_epoch_l for higher-precision time. +15. New global option tls_dh_max_bits, defaulting to current value of NSS + hard-coded limit of DH ephemeral bits, to fix interop problems caused by + GnuTLS 2.12 library recommending a bit count higher than NSS supports. + Version 4.77 ------------ |