summaryrefslogtreecommitdiff
path: root/src/README.UPDATING
diff options
context:
space:
mode:
authorPhil Pennock <pdp@exim.org>2012-05-16 12:15:26 -0400
committerPhil Pennock <pdp@exim.org>2012-05-16 12:15:26 -0400
commit17c761988f30054827a9951761d93ffeeaad0cb7 (patch)
tree10d8b048f0c7059c28a2ad5e4257a19e46d47267 /src/README.UPDATING
parentf675bf30a2ce6242cfc7c3e3997ec5d68a1fca7a (diff)
Overhaul of GnuTLS code.
GnuTLS code re-done, using cut&paste for preservation where appropriate. Stop using deprecated APIs. Stop hard-coding lists of ciphers. Use gnutls_priority_init() instead. Turns tls_require_ciphers into a string in the GnuTLS case, not just OpenSSL case. Deprecate three gnutls_require_* options; now ignored but not errors. (No warnings yet). Added TLS SNI support. Made the channel binding integration theoretically actually work. I had it guarded by an #ifdef but the value used was an enum instead. Oops. Fixed. New code much more amenable to future work permitting TLS in callouts. DH param sizes now chosen by GnuTLS maintainers, we use "normal"; that's suddenly a lot more bits, so the saved filename was changed too. (GNUTLS_SEC_PARAM_NORMAL). DH param setup only done for servers now, since clients don't need/use it. GnuTLS a lot more robust to library negotiation using stuff we don't support, error-ing out quickly for other authentication systems (PGP, etc). Renamed pseudo_random_number() to vaguely_random_number() which makes the nature clearer. GnuTLS now provides a vaguely_random_number() implementation, to match OpenSSL. Pull in <inttypes.h> to make the recent arithmetic changes compile on MacOS. Nuke test 2011 which related to the gnutls_require_* options now non-functional.
Diffstat (limited to 'src/README.UPDATING')
-rw-r--r--src/README.UPDATING24
1 files changed, 24 insertions, 0 deletions
diff --git a/src/README.UPDATING b/src/README.UPDATING
index 0d729a384..81e767efe 100644
--- a/src/README.UPDATING
+++ b/src/README.UPDATING
@@ -77,6 +77,30 @@ Exim version 4.78
new option, you can safely force it off before upgrading, to decouple
configuration changes from the binary upgrade while remaining RFC compliant.
+ * The GnuTLS support has been mostly rewritten, to use 2.12.x APIs. As part
+ of this, these three options are no longer supported:
+
+ gnutls_require_kx
+ gnutls_require_mac
+ gnutls_require_protocols
+
+ Their functionality is entirely subsumed into tls_require_ciphers, which is
+ no longer parsed apart by Exim but is instead given to
+ gnutls_priority_init(3), which is no longer an Exim list. See:
+
+ http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html
+
+ for fuller documentation of the strings parsed. The three gnutls_require_*
+ options are still parsed by Exim and, for this release, silently ignored.
+ A future release will add warnings, before a later still release removes
+ parsing entirely and the presence of the options will be a configuration
+ error.
+
+ This rewrite means that Exim will continue to build against GnuTLS in the
+ future, brings Exim closer to other GnuTLS applications and lets us add
+ support for SNI and other features more readily. We regret that it wasn't
+ feasible to retain the three dropped options.
+
Exim version 4.77
-----------------