diff options
| author | Phil Pennock <pdp@exim.org> | 2012-06-24 02:55:29 -0700 |
|---|---|---|
| committer | Phil Pennock <pdp@exim.org> | 2012-06-24 02:55:29 -0700 |
| commit | a5f239e4959d4df6a4a341d8855e14d17399d671 (patch) | |
| tree | b146fc0467aa091e862fea4cbb038aaf3318aaa3 /doc | |
| parent | 585121e2682545b7afa599e039a7a1e2b1804570 (diff) | |
Add gnutls_enable_pkcs11 option.
GnuTLS 2.12.0 adds PKCS11 support using p11-kit and by default will
autoload modules, which interoperates badly with GNOME keyring
integration, configured via paths in environment variables, and Exim
invoked by the user (eg, mailq) will then try to load the modules, fail
and spew warnings from the module for a library loaded by a library.
http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs
documents that to prevent this, explicitly init PKCS11 before calling
gnutls_global_init(). So we do so, unless the admin sets the new
option.
Reported by Andreas Metzler, who confirmed that the added calls fixed
the problem for him.
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/doc-docbook/spec.xfpt | 16 | ||||
| -rw-r--r-- | doc/doc-txt/ChangeLog | 3 | ||||
| -rw-r--r-- | doc/doc-txt/NewStuff | 10 | ||||
| -rw-r--r-- | doc/doc-txt/OptionLists.txt | 1 |
4 files changed, 30 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index dcf6b6cfb..f23c42afb 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -12825,6 +12825,9 @@ listed in more than one group. .section "TLS" "SECID108" .table2 .row &%gnutls_compat_mode%& "use GnuTLS compatibility mode" +.new +.row &%gnutls_enable_pkcs11%& "allow GnuTLS to autoload PKCS11 modules" +.wen .row &%openssl_options%& "adjust OpenSSL compatibility options" .row &%tls_advertise_hosts%& "advertise TLS to these hosts" .row &%tls_certificate%& "location of server certificate" @@ -13853,6 +13856,19 @@ This option controls whether GnuTLS is used in compatibility mode in an Exim server. This reduces security slightly, but improves interworking with older implementations of TLS. + +.new +option gnutls_enable_pkcs11 main boolean unset +This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with +the p11-kit configuration files in &_/etc/pkcs11/modules/_&. + +See +&url(http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs) +for documentation. +.wen + + + .option headers_charset main string "see below" This option sets a default character set for translating from encoded MIME &"words"& in header lines, when referenced by an &$h_xxx$& expansion item. The diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 34521098e..8fa9621bd 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -44,6 +44,9 @@ NM/01 Bugzilla 1197 - Spec typo JH/03 Add expansion operators ${listnamed:name} and ${listcount:string} +PP/09 Add gnutls_enable_pkcs11 option. + + Exim version 4.80 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 6d64faa00..c56256bdd 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -87,6 +87,16 @@ Version 4.81 8. New expansion operators ${listnamed:name} to get the content of a named list and ${listcount:string} to count the items in a list. + 9. New global option "gnutls_enable_pkcs11", defaults false. The GnuTLS + rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11 + modules. For some situations this is desirable, but we expect admin in + those situations to know they want the feature. More commonly, it means + that GUI user modules get loaded and are broken by the setuid Exim being + unable to access files specified in environment variables and passed + through, thus breakage. So we explicitly inhibit the PKCS11 initialisation + unless this new option is set. + + Version 4.80 ------------ diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 1c7881e76..05074bba7 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -243,6 +243,7 @@ gecos_name string* unset main gecos_pattern string unset main gethostbyname boolean false smtp gnutls_compat_mode boolean unset main 4.70 +gnutls_enable_pkcs11 boolean false main 4.81 gnutls_require_kx string* unset main 4.67 deprecated, warns string* unset smtp 4.67 deprecated, warns gnutls_require_mac string* unset main 4.67 deprecated, warns |