diff options
| author | Phil Pennock <pdp@exim.org> | 2012-04-28 06:21:02 -0700 |
|---|---|---|
| committer | Phil Pennock <pdp@exim.org> | 2012-04-28 06:21:02 -0700 |
| commit | c80c557026f3933b0472b13331924f8bd4ed9bf7 (patch) | |
| tree | d7f4603a8e12580505fd2dcc165d70edcc895972 /doc | |
| parent | dec5017e2e41bb85d559e2b35713f1e294cdde8c (diff) | |
TLS fixes for OpenSSL.
Support TLS 1.1 & 1.2
New "openssl_options" values (all now documented).
Set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read or write after
TLS renegotiation, which otherwise led to messages "Got SSL error 2".
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 55 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 5 |
2 files changed, 60 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index c1f845eaf..e719855f8 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -14362,6 +14362,61 @@ An example: openssl_options = -all +microsoft_big_sslv3_buffer .endd +Possible options may include: +.ilist +&`all`& +.ilist +&`allow_unsafe_legacy_renegotiation`& +.ilist +&`cipher_server_preference`& +.ilist +&`dont_insert_empty_fragments`& +.ilist +&`ephemeral_rsa`& +.ilist +&`legacy_server_connect`& +.ilist +&`microsoft_big_sslv3_buffer`& +.ilist +&`microsoft_sess_id_bug`& +.ilist +&`msie_sslv2_rsa_padding`& +.ilist +&`netscape_challenge_bug`& +.ilist +&`netscape_reuse_cipher_change_bug`& +.ilist +&`no_compression`& +.ilist +&`no_session_resumption_on_renegotiation`& +.ilist +&`no_sslv2`& +.ilist +&`no_sslv3`& +.ilist +&`no_ticket`& +.ilist +&`no_tlsv1`& +.ilist +&`no_tlsv1_1`& +.ilist +&`no_tlsv1_2`& +.ilist +&`single_dh_use`& +.ilist +&`single_ecdh_use`& +.ilist +&`ssleay_080_client_dh_bug`& +.ilist +&`sslref2_reuse_cert_type_bug`& +.ilist +&`tls_block_padding_bug`& +.ilist +&`tls_d5_bug`& +.ilist +&`tls_rollback_bug`& +.endlist + .option oracle_servers main "string list" unset .cindex "Oracle" "server list" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 03f4469af..1d313879a 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -53,6 +53,11 @@ PP/13 tls_peerdn now print-escaped for spool files. Observed some $tls_peerdn in wild which contained \n, which resulted in spool file corruption. +PP/14 TLS fixes for OpenSSL: support TLS 1.1 & 1.2; new "openssl_options" + values; set SSL_MODE_AUTO_RETRY so that OpenSSL will retry a read + or write after TLS renegotiation, which otherwise led to messages + "Got SSL error 2". + Exim version 4.77 ----------------- |