diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-11-13 12:23:28 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2019-11-13 12:28:38 +0000 |
| commit | 2043336d393ea7725942b5be81b486b214eb7b9e (patch) | |
| tree | 20e75aed889361cfddd28310b6c625c8881cb4e1 /doc | |
| parent | bf13aee1aa701b1d838a09abd25ded986069e2ef (diff) | |
OpenSSL: when supported by the library version, disable renegotiation for pre-TLS1.3
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 2 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 4 |
2 files changed, 5 insertions, 1 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 6b2d97b17..ceb377b0a 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16289,7 +16289,7 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)& transport driver. -.option openssl_options main "string list" "+no_sslv2 +no_sslv3 +single_dh_use +no_ticket" +.option openssl_options main "string list" "+no_sslv2 +no_sslv3 +single_dh_use +no_ticket +no_renegotiation" .cindex "OpenSSL "compatibility options" This option allows an administrator to adjust the SSL options applied by OpenSSL to connections. It is given as a space-separated list of items, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index ac7f3357d..c5b2ca2d8 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -200,6 +200,10 @@ JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted buffer was used for the filename, resulting in a trap when tainted arguments (eg. $domain) were used. +JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below; + recommended to avoid a possible server-load attack. The feature can be + re-enabled via the openssl_options main cofiguration option. + Exim version 4.92 ----------------- |