summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2015-05-26 16:36:08 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2015-06-14 20:57:55 +0100
commit10ca4f1ca3116f346dcc19645b59c443e57d26a8 (patch)
treef0df6defb69d8cb068f1d21dc1677e526a29f32f /doc
parent0ba0ee973ddbf1766845642873e668b1a1fdc8a3 (diff)
Add tls_eccurve main config option. Bug 1397
Patch from Suse, massaged by JH
Diffstat (limited to 'doc')
-rw-r--r--doc/doc-docbook/spec.xfpt18
-rw-r--r--doc/doc-txt/NewStuff2
2 files changed, 20 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index d44349c20..50dfaf1fd 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -13436,6 +13436,7 @@ listed in more than one group.
.row &%tls_crl%& "certificate revocation list"
.row &%tls_dh_max_bits%& "clamp D-H bit count suggestion"
.row &%tls_dhparam%& "DH parameters for server"
+.row &%tls_eccurve%& "EC curve selection for server"
.row &%tls_ocsp_file%& "location of server certificate status proof"
.row &%tls_on_connect_ports%& "specify SSMTP (SMTPS) ports"
.row &%tls_privatekey%& "location of server private key"
@@ -16627,7 +16628,22 @@ prior to the 4.80 release, as Debian used to patch Exim to raise the minimum
acceptable bound from 1024 to 2048.
+.option tls_eccurve main string&!! prime256v1
+.cindex TLS "EC cryptography"
+If built with a recent-enough version of OpenSSL,
+this option selects a EC curve for use by Exim.
+
+Curve names of the form &'prime256v1'& are accepted.
+For even more-recent library versions, names of the form &'P-512'&
+are also accepted, plus the special value &'auto'&
+which tell the library to choose.
+
+If the option is set to an empty string, no EC curves will be enabled.
+
+
.option tls_ocsp_file main string&!! unset
+.cindex TLS "certificate status"
+.cindex TLS "OCSP proof file"
This option
must if set expand to the absolute path to a file which contains a current
status proof for the server's certificate, as obtained from the
@@ -16635,6 +16651,8 @@ Certificate Authority.
.option tls_on_connect_ports main "string list" unset
+.cindex SSMTP
+.cindex SMTPS
This option specifies a list of incoming SSMTP (aka SMTPS) ports that should
operate the obsolete SSMTP (SMTPS) protocol, where a TLS session is immediately
set up without waiting for the client to issue a STARTTLS command. For
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index e10a32b3f..010c90d15 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -37,6 +37,8 @@ Version 4.86
12. A non-SMTP authenticator using information from TLS client certificates.
+13. Main option "tls_eccurve" for selecting an Elliptic Curve for TLS.
+
Version 4.85
------------