summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorPhil Pennock <pdp@exim.org>2010-06-05 09:10:08 +0000
committerPhil Pennock <pdp@exim.org>2010-06-05 09:10:08 +0000
commit77bb000fa965b786ddb1085dd5af6c80c7d425b0 (patch)
tree8af1cc6f65b2ce7dfcb31c652c5899c93a2c9ad4 /doc
parentde56d7a1960dedef0bf39b92deceee807ab88dc7 (diff)
Add an openssl_options main configuration option, to allow administrators to
shoot themselves in each foot in turn. The default value is chosen to avoid a change in behaviour, but since it is disabling a security countermeasure, I'd like to change the default to be "no options". Fixes: #994
Diffstat (limited to 'doc')
-rw-r--r--doc/doc-docbook/spec.xfpt33
-rw-r--r--doc/doc-txt/ChangeLog4
-rw-r--r--doc/doc-txt/NewStuff14
3 files changed, 48 insertions, 3 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index b33edeb97..493c55445 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -1,4 +1,4 @@
-. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.74 2010/05/29 19:26:31 nm4 Exp $
+. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.75 2010/06/05 09:10:08 pdp Exp $
.
. /////////////////////////////////////////////////////////////////////////////
. This is the primary source of the Exim Manual. It is an xfpt document that is
@@ -12392,6 +12392,7 @@ listed in more than one group.
.row &%gnutls_require_mac%& "control GnuTLS MAC algorithms"
.row &%gnutls_require_protocols%& "control GnuTLS protocols"
.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
+.row &%openssl_options%& "adjust OpenSSL compatibility options"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_certificate%& "location of server certificate"
.row &%tls_crl%& "certificate revocation list"
@@ -14003,6 +14004,36 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)&
transport driver.
+.option openssl_options main "string list" +dont_insert_empty_fragments
+.cindex "OpenSSL "compatibility options"
+This option allows an administrator to adjust the SSL options applied
+by OpenSSL to connections. It is given as a space-separated list of items,
+each one to be +added or -subtracted from the current value. The default
+value is one option which happens to have been set historically. You can
+remove all options with:
+.code
+openssl_options = -all
+.endd
+This option is only available if Exim is built against OpenSSL. The values
+available for this option vary according to the age of your OpenSSL install.
+The &"all"& value controls a subset of flags which are available, typically
+the bug workaround options. The &'SSL_CTX_set_options'& man page will
+list the values known on your system and Exim should support all the
+&"bug workaround"& options and many of the &"modifying"& options. The Exim
+names lose the leading &"SSL_OP_"& and are lower-cased.
+
+Note that adjusting the options can have severe impact upon the security of
+SSL as used by Exim. It is possible to disable safety checks and shoot
+yourself in the foot in various unpleasant ways. This option should not be
+adjusted lightly. An unrecognised item will be detected at by invoking Exim
+with the &%-bV%& flag.
+
+An example:
+.code
+openssl_options = -all +microsoft_big_sslv3_buffer
+.endd
+
+
.option oracle_servers main "string list" unset
.cindex "Oracle" "server list"
This option provides a list of Oracle servers and associated connection data,
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 7b560e527..3ed3aa8c7 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.616 2010/06/03 15:20:41 jetmore Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.617 2010/06/05 09:10:09 pdp Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -14,6 +14,8 @@ PP/02 Include check_rfc2047_length in configure.default because we're seeing
JJ/01 Added DISABLE_DKIM and comment to src/EDITME
+PP/03 Bugzilla 994: added openssl_options main configuration option.
+
Exim version 4.72
-----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index b42c0d07c..589bc5397 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/NewStuff,v 1.165 2010/06/03 15:20:41 jetmore Exp $
+$Cambridge: exim/doc/doc-txt/NewStuff,v 1.166 2010/06/05 09:10:09 pdp Exp $
New Features in Exim
--------------------
@@ -9,6 +9,18 @@ test from the snapshots or the CVS before the documentation is updated. Once
the documentation is updated, this file is reduced to a short list.
+Version 4.73
+------------
+
+ 1. A new main configuration option, "openssl_options", is available if Exim
+ is built with SSL support provided by OpenSSL. The option allows
+ administrators to specify OpenSSL options to be used on connections;
+ typically this is to set bug compatibility features which the OpenSSL
+ developers have not enabled by default. There may be security
+ consequences for certain options, so these should not be changed
+ frivolously.
+
+
Version 4.72
------------