diff options
author | Phil Pennock <pdp@exim.org> | 2012-05-04 08:27:09 -0700 |
---|---|---|
committer | Phil Pennock <pdp@exim.org> | 2012-05-04 08:27:09 -0700 |
commit | 3f0945ffae8acee547d11ae53d38fbdf9a2cc81f (patch) | |
tree | 2e726521f7a030478238a0dab3841fdaafde1e26 /doc | |
parent | 7be682ca5ebd9571a01b762195b11c34cd231830 (diff) |
More tls_sni support: outbound, logging.
tls_sni as SMTP transport option.
Use correct storage pool for copying tls_sni, so survives for life of process.
Add +tls_sni log-selector, for inbound tls_sni.
Update exipick to handle -tls_sni in spool files.
Also reset tls_bits at start of outbound connection (was missing).
Diffstat (limited to 'doc')
-rw-r--r-- | doc/doc-docbook/spec.xfpt | 36 | ||||
-rw-r--r-- | doc/doc-txt/ChangeLog | 2 | ||||
-rw-r--r-- | doc/doc-txt/NewStuff | 7 | ||||
-rw-r--r-- | doc/doc-txt/OptionLists.txt | 1 |
4 files changed, 44 insertions, 2 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 32e24ca80..ea4e040e1 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -11899,8 +11899,8 @@ If the variable appears in &%tls_certificate%& then this option and a different certificate to be presented (and optionally a different key to be used) to the client, based upon the value of the SNI extension. -The value will be retained for the lifetime of the message, and not changed -during outbound SMTP. +The value will be retained for the lifetime of the message. During outbound +SMTP deliveries, it reflects the value of the tls_sni option on the transport. This is currently only available when using OpenSSL, built with support for SNI. @@ -15627,6 +15627,12 @@ receiving incoming messages as a server. If you want to supply certificates for use when sending messages as a client, you must set the &%tls_certificate%& option in the relevant &(smtp)& transport. +.new +If the option contains &$tls_sni$& and Exim is built against OpenSSL, then +if the OpenSSL build supports TLS extensions and the TLS client sends the +Server Name Indication extension, then this option and &%tls_privatekey%& +will be re-expanded. +.wen .option tls_crl main string&!! unset .cindex "TLS" "server certificate revocation list" @@ -15659,6 +15665,11 @@ the expansion is forced to fail, or the result is an empty string, the private key is assumed to be in the same file as the server's certificates. See chapter &<<CHAPTLS>>& for further details. +.new +See &%tls_certificate%& discussion of &$tls_sni$& for when this option may be +re-expanded. +.wen + .option tls_remember_esmtp main boolean false .cindex "TLS" "esmtp state; remembering" @@ -22371,6 +22382,20 @@ ciphers is a preference order. +.new +.option tls_sni smtp string&!! unset +.cindex "TLS" "Server Name Indication" +.vindex "&$tls_sni$&" +If this option is set then it sets the $tls_sni variable and causes any +TLS session to pass this value as the Server Name Indication extension to +the remote side, which can be used by the remote side to select an appropriate +certificate and private key for the session. + +OpenSSL only, also requiring a build of OpenSSL that supports TLS extensions. +.wen + + + .option tls_tempfail_tryclear smtp boolean true .cindex "4&'xx'& responses" "to STARTTLS" When the server host is not in &%hosts_require_tls%&, and there is a problem in @@ -33155,6 +33180,7 @@ selection marked by asterisks: &` tls_certificate_verified `& certificate verification status &`*tls_cipher `& TLS cipher suite on <= and => lines &` tls_peerdn `& TLS peer DN on <= and => lines +&` tls_sni `& TLS SNI on <= lines &` unknown_in_list `& DNS lookup failed in list match &` all `& all of the above @@ -33450,6 +33476,12 @@ connection, the cipher suite used is added to the log line, preceded by X=. connection, and a certificate is supplied by the remote host, the peer DN is added to the log line, preceded by DN=. .next +.cindex "log" "TLS SNI" +.cindex "TLS" "logging SNI" +&%tls_sni%&: When a message is received over an encrypted connection, and +the remote host provided the Server Name Indication extension, the SNI is +added to the log line, preceded by SNI=. +.next .cindex "log" "DNS failure in list" &%unknown_in_list%&: This setting causes a log entry to be written when the result of a list match is failure because a DNS lookup failed. diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 4ad79c28e..55cde6dcf 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -75,6 +75,8 @@ PP/16 Removed "dont_insert_empty_fragments" fron "openssl_options". PP/17 OpenSSL: new expansion var $tls_sni, which if used in tls_certificate lets Exim select keys and certificates based upon TLS SNI from client. + Also option tls_sni on SMTP Transports. Also clear $tls_bits correctly + before an outbound SMTP session. New log_selector, +tls_sni. Exim version 4.77 diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index b788b45dc..2872d241f 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -47,6 +47,13 @@ Version 4.78 sends the TLS Server Name Indication extension, to permit choosing a different certificate; tls_privatekey will also be re-expanded. You must still set these options to expand to valid files when $tls_sni is not set. + + The SMTP Transport has gained the option tls_sni, which will set a hostname + for outbound TLS sessions, and set $tls_sni too. + + A new log_selector, +tls_sni, has been added, to log received SNI values + for Exim as a server. + Currently OpenSSL only. diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index b10f3f1aa..52a24b198 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -554,6 +554,7 @@ tls_privatekey string* unset main tls_remember_emstp boolean false main 4.21 tls_require_ciphers string* unset smtp 4.00 replaces tls_verify_ciphers string* unset main 4.33 +tls_sni string* unset main 4.78 tls_tempfail_tryclear boolean true smtp 4.05 tls_try_verify_hosts host list unset main 4.00 tls_verify_certificates string* unset main 3.20 |