diff options
author | Phil Pennock <pdp@exim.org> | 2010-06-05 09:10:08 +0000 |
---|---|---|
committer | Phil Pennock <pdp@exim.org> | 2010-06-05 09:10:08 +0000 |
commit | 77bb000fa965b786ddb1085dd5af6c80c7d425b0 (patch) | |
tree | 8af1cc6f65b2ce7dfcb31c652c5899c93a2c9ad4 /doc | |
parent | de56d7a1960dedef0bf39b92deceee807ab88dc7 (diff) |
Add an openssl_options main configuration option, to allow administrators to
shoot themselves in each foot in turn. The default value is chosen to avoid
a change in behaviour, but since it is disabling a security countermeasure,
I'd like to change the default to be "no options". Fixes: #994
Diffstat (limited to 'doc')
-rw-r--r-- | doc/doc-docbook/spec.xfpt | 33 | ||||
-rw-r--r-- | doc/doc-txt/ChangeLog | 4 | ||||
-rw-r--r-- | doc/doc-txt/NewStuff | 14 |
3 files changed, 48 insertions, 3 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index b33edeb97..493c55445 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1,4 +1,4 @@ -. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.74 2010/05/29 19:26:31 nm4 Exp $ +. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.75 2010/06/05 09:10:08 pdp Exp $ . . ///////////////////////////////////////////////////////////////////////////// . This is the primary source of the Exim Manual. It is an xfpt document that is @@ -12392,6 +12392,7 @@ listed in more than one group. .row &%gnutls_require_mac%& "control GnuTLS MAC algorithms" .row &%gnutls_require_protocols%& "control GnuTLS protocols" .row &%gnutls_compat_mode%& "use GnuTLS compatibility mode" +.row &%openssl_options%& "adjust OpenSSL compatibility options" .row &%tls_advertise_hosts%& "advertise TLS to these hosts" .row &%tls_certificate%& "location of server certificate" .row &%tls_crl%& "certificate revocation list" @@ -14003,6 +14004,36 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)& transport driver. +.option openssl_options main "string list" +dont_insert_empty_fragments +.cindex "OpenSSL "compatibility options" +This option allows an administrator to adjust the SSL options applied +by OpenSSL to connections. It is given as a space-separated list of items, +each one to be +added or -subtracted from the current value. The default +value is one option which happens to have been set historically. You can +remove all options with: +.code +openssl_options = -all +.endd +This option is only available if Exim is built against OpenSSL. The values +available for this option vary according to the age of your OpenSSL install. +The &"all"& value controls a subset of flags which are available, typically +the bug workaround options. The &'SSL_CTX_set_options'& man page will +list the values known on your system and Exim should support all the +&"bug workaround"& options and many of the &"modifying"& options. The Exim +names lose the leading &"SSL_OP_"& and are lower-cased. + +Note that adjusting the options can have severe impact upon the security of +SSL as used by Exim. It is possible to disable safety checks and shoot +yourself in the foot in various unpleasant ways. This option should not be +adjusted lightly. An unrecognised item will be detected at by invoking Exim +with the &%-bV%& flag. + +An example: +.code +openssl_options = -all +microsoft_big_sslv3_buffer +.endd + + .option oracle_servers main "string list" unset .cindex "Oracle" "server list" This option provides a list of Oracle servers and associated connection data, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 7b560e527..3ed3aa8c7 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.616 2010/06/03 15:20:41 jetmore Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.617 2010/06/05 09:10:09 pdp Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -14,6 +14,8 @@ PP/02 Include check_rfc2047_length in configure.default because we're seeing JJ/01 Added DISABLE_DKIM and comment to src/EDITME +PP/03 Bugzilla 994: added openssl_options main configuration option. + Exim version 4.72 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index b42c0d07c..589bc5397 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/NewStuff,v 1.165 2010/06/03 15:20:41 jetmore Exp $ +$Cambridge: exim/doc/doc-txt/NewStuff,v 1.166 2010/06/05 09:10:09 pdp Exp $ New Features in Exim -------------------- @@ -9,6 +9,18 @@ test from the snapshots or the CVS before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. +Version 4.73 +------------ + + 1. A new main configuration option, "openssl_options", is available if Exim + is built with SSL support provided by OpenSSL. The option allows + administrators to specify OpenSSL options to be used on connections; + typically this is to set bug compatibility features which the OpenSSL + developers have not enabled by default. There may be security + consequences for certain options, so these should not be changed + frivolously. + + Version 4.72 ------------ |