diff options
author | Phil Pennock <pdp@exim.org> | 2012-05-17 01:32:13 -0400 |
---|---|---|
committer | Phil Pennock <pdp@exim.org> | 2012-05-17 01:32:13 -0400 |
commit | af3498d60d7cae92d50e56353ae19f304b84e6ca (patch) | |
tree | 7c7d4f0ff32504ed7eda563767dd96e190e5fedc /doc/doc-txt | |
parent | eae0036b2dfac1547351908f77a6154b898c45d6 (diff) |
Guards for older releases of GnuTLS.
gnutls_sec_param_to_pk_bits() and gnutls_rnd() are both new as of
GnuTLS 2.12.x. Guard their usage on 2.12.0+ at compile time.
In older versions, the vaguely_random_number() function just immediately
calls the fallback, so it's the same as before this change (just one
extra indirection in the code-path).
Define a constant of 1024 for dh-bits for use in those old releases
where GnuTLS won't tell us how many we should use.
Change the on-disk filename for generated D-H params again, replacing
the -normal with -<bitcount>, so that it's 1024 or whatever, and as
the value changes, Exim will automatically start using the new value.
Diffstat (limited to 'doc/doc-txt')
-rw-r--r-- | doc/doc-txt/ChangeLog | 1 | ||||
-rw-r--r-- | doc/doc-txt/NewStuff | 3 |
2 files changed, 4 insertions, 0 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index ff463b1a4..a93041e62 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -106,6 +106,7 @@ PP/25 Revamped GnuTLS support, passing tls_require_ciphers to gnutls_priority_init, ignoring Exim options gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols (no longer supported). Added SNI support via GnuTLS too. + Made ${randint:..} supplier available, if using not-too-old GnuTLS. PP/26 Added EXPERIMENTAL_OCSP for OpenSSL. diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 82eaeb73b..7b3b5aff0 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -80,6 +80,9 @@ Version 4.78 SNI support has been added to Exim's GnuTLS integration too. + For sufficiently recent GnuTLS libraries, ${randint:..} will now use + gnutls_rnd(), asking for GNUTLS_RND_NONCE level randomness. + 12. With OpenSSL, if built with EXPERIMENTAL_OCSP, a new option tls_ocsp_file is now available. If the contents of the file are valid, then Exim will send that back in response to a TLS status request; this is OCSP Stapling. |