summaryrefslogtreecommitdiff
path: root/doc/doc-txt
diff options
context:
space:
mode:
authorPhil Pennock <pdp@exim.org>2012-05-17 01:32:13 -0400
committerPhil Pennock <pdp@exim.org>2012-05-17 01:32:13 -0400
commitaf3498d60d7cae92d50e56353ae19f304b84e6ca (patch)
tree7c7d4f0ff32504ed7eda563767dd96e190e5fedc /doc/doc-txt
parenteae0036b2dfac1547351908f77a6154b898c45d6 (diff)
Guards for older releases of GnuTLS.
gnutls_sec_param_to_pk_bits() and gnutls_rnd() are both new as of GnuTLS 2.12.x. Guard their usage on 2.12.0+ at compile time. In older versions, the vaguely_random_number() function just immediately calls the fallback, so it's the same as before this change (just one extra indirection in the code-path). Define a constant of 1024 for dh-bits for use in those old releases where GnuTLS won't tell us how many we should use. Change the on-disk filename for generated D-H params again, replacing the -normal with -<bitcount>, so that it's 1024 or whatever, and as the value changes, Exim will automatically start using the new value.
Diffstat (limited to 'doc/doc-txt')
-rw-r--r--doc/doc-txt/ChangeLog1
-rw-r--r--doc/doc-txt/NewStuff3
2 files changed, 4 insertions, 0 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index ff463b1a4..a93041e62 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -106,6 +106,7 @@ PP/25 Revamped GnuTLS support, passing tls_require_ciphers to
gnutls_priority_init, ignoring Exim options gnutls_require_kx,
gnutls_require_mac & gnutls_require_protocols (no longer supported).
Added SNI support via GnuTLS too.
+ Made ${randint:..} supplier available, if using not-too-old GnuTLS.
PP/26 Added EXPERIMENTAL_OCSP for OpenSSL.
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 82eaeb73b..7b3b5aff0 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -80,6 +80,9 @@ Version 4.78
SNI support has been added to Exim's GnuTLS integration too.
+ For sufficiently recent GnuTLS libraries, ${randint:..} will now use
+ gnutls_rnd(), asking for GNUTLS_RND_NONCE level randomness.
+
12. With OpenSSL, if built with EXPERIMENTAL_OCSP, a new option tls_ocsp_file
is now available. If the contents of the file are valid, then Exim will
send that back in response to a TLS status request; this is OCSP Stapling.