Add gnutls_require_{kx,mac,protocols}.

author: Philip Hazel <ph10@hermes.cam.ac.uk> 2007-01-18 15:35:42 +0000
committer: Philip Hazel <ph10@hermes.cam.ac.uk> 2007-01-18 15:35:42 +0000
commit: 83da1223921fe30362e8374951360dcc8f21c4e7 (patch)
tree: 174a4beafbf240347d2ecad6d35640469baf96e8 /doc
parent: 7b90bba702ae0f7267931524c4c523c4ee9d46b6 (diff)
3 files changed, 82 insertions, 4 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 240c815eb..238621e9b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.454 2007/01/17 11:17:58 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.455 2007/01/18 15:35:42 ph10 Exp $
 
 Change log file for Exim from version 4.21
 -------------------------------------------
@@ -26,6 +26,9 @@ PH/02 In an ACL statement such as
 PH/03 Added additional dnslists conditions == and =& which are different from
       = and & when the dns lookup returns more than one IP address.
 
+PH/04 Added gnutls_require_{kx,mac,protocols} to give more control over the
+      cipher suites used by GnuTLS. These options are ignored by OpenSSL.
+
 
 Exim version 4.66
 -----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 960f93ce8..9cc8f81cc 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/NewStuff,v 1.127 2007/01/17 11:17:58 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/NewStuff,v 1.128 2007/01/18 15:35:42 ph10 Exp $
 
 New Features in Exim
 --------------------
@@ -106,6 +106,75 @@ Version 4.67
     When the DNS lookup yields only a single IP address, there is no difference
     between = and == and between & and =&.
 
+ 3. Up till now, the only control over which cipher suites GnuTLS uses has been
+    for the cipher algorithms. New options have been added to allow some of the
+    other parameters to be varied. Here is complete documentation for the
+    available features:
+
+    GnuTLS allows the caller to specify separate lists of permitted key
+    exchange methods, main cipher algorithms, and MAC algorithms. These may be
+    used in any combination to form a specific cipher suite. This is unlike
+    OpenSSL, where complete cipher names can be passed to its control function.
+    GnuTLS also allows a list of acceptable protocols to be supplied.
+
+    For compatibility with OpenSSL, the tls_require_ciphers option can be set
+    to complete cipher suite names such as RSA_ARCFOUR_SHA, but for GnuTLS this
+    option controls only the cipher algorithms. Exim searches each item in the
+    list for the name of an available algorithm. For example, if the list
+    contains RSA_AES_SHA, then AES is recognized, and the behaviour is exactly
+    the same as if just AES were given.
+
+    There are additional options called gnutls_require_kx, gnutls_require_mac,
+    and gnutls_require_protocols that can be used to restrict the key exchange
+    methods, MAC algorithms, and protocols, respectively. These options are
+    ignored if OpenSSL is in use.
+
+    All four options are available as global options, controlling how Exim
+    behaves as a server, and also as options of the smtp transport, controlling
+    how Exim behaves as a client. All the values are string expanded. After
+    expansion, the values must be colon-separated lists, though the separator
+    can be changed in the usual way.
+
+    Each of the four lists starts out with a default set of algorithms. If the
+    first item in one of the "require" options does _not_ start with an
+    exclamation mark, all the default items are deleted. In this case, only
+    those that are explicitly specified can be used. If the first item in one
+    of the "require" items _does_ start with an exclamation mark, the defaults
+    are left on the list.
+
+    Then, any item that starts with an exclamation mark causes the relevant
+    entry to be removed from the list, and any item that does not start with an
+    exclamation mark causes a new entry to be added to the list. Unrecognized
+    items in the list are ignored. Thus:
+
+      tls_require_ciphers = !ARCFOUR
+
+    allows all the defaults except ARCFOUR, whereas
+
+      tls_require_ciphers = AES : 3DES
+
+    allows only cipher suites that use AES or 3DES. For tls_require_ciphers
+    the recognized names are AES_256, AES_128, AES (both of the preceding),
+    3DES, ARCFOUR_128, ARCFOUR_40, and ARCFOUR (both of the preceding). The
+    default list does not contain all of these; it just has AES_256, AES_128,
+    3DES, and ARCFOUR_128.
+
+    For gnutls_require_kx, the recognized names are DHE_RSA, RSA (which
+    includes DHE_RSA), DHE_DSS, and DHE (which includes both DHE_RSA and
+    DHE_DSS). The default list contains RSA, DHE_DSS, DHE_RSA.
+
+    For gnutls_require_mac, the recognized names are SHA (synonym SHA1), and
+    MD5. The default list contains SHA, MD5.
+
+    For gnutls_require_protocols, the recognized names are TLS1 and SSL3.
+    The default list contains TLS1, SSL3.
+
+    In a server, the order of items in these lists is unimportant. The server
+    will advertise the availability of all the relevant cipher suites. However,
+    in a client, the order in the tls_require_ciphers list specifies a
+    preference order for the cipher algorithms. The first one in the client's
+    list that is also advertised by the server is tried first.
+
 
 Version 4.66
 ------------
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index e484f98e9..67b03c793 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/OptionLists.txt,v 1.28 2006/12/05 11:35:28 ph10 Exp $
+$Cambridge: exim/doc/doc-txt/OptionLists.txt,v 1.29 2007/01/18 15:35:42 ph10 Exp $
 
 LISTS OF EXIM OPTIONS
 ---------------------
@@ -11,7 +11,7 @@ This file contains complete lists of four kinds of Exim option:
   4. Those that can appear in the build time configuration for the Exim monitor
      (Local/eximon.conf).
 
-This file was last updated for Exim release 4.64.
+This file was last updated for Exim release 4.67.
 
 
 1. RUN TIME OPTIONS
@@ -231,6 +231,12 @@ from                                 string*         unset         autoreply
 gecos_name                           string*         unset         main
 gecos_pattern                        string          unset         main
 gethostbyname                        boolean         false         smtp
+gnutls_require_kx                    string*         unset         main              4.67
+                                     string*         unset         smtp              4.67
+gnutls_require_mac                   string*         unset         main              4.67
+                                     string*         unset         smtp              4.67
+gnutls_require_protocols             string*         unset         main              4.67
+                                     string*         unset         smtp              4.67
 group                                string          +             routers           4.00
                                                      unset         transports        4.00 replaces local option in some transports
 header_line_maxsize                  integer         0 (unset)     main              4.14
author	Philip Hazel <ph10@hermes.cam.ac.uk>	2007-01-18 15:35:42 +0000
committer	Philip Hazel <ph10@hermes.cam.ac.uk>	2007-01-18 15:35:42 +0000
commit	83da1223921fe30362e8374951360dcc8f21c4e7 (patch)
tree	174a4beafbf240347d2ecad6d35640469baf96e8 /doc
parent	7b90bba702ae0f7267931524c4c523c4ee9d46b6 (diff)