summaryrefslogtreecommitdiff
path: root/src/README.UPDATING
diff options
context:
space:
mode:
authorPhil Pennock <pdp@exim.org>2012-05-03 19:11:49 -0700
committerPhil Pennock <pdp@exim.org>2012-05-03 19:11:49 -0700
commitda3ad30dcfbb4770835c2b7e165bb719f76cfc16 (patch)
tree98071a567e2c77ad855dcbcee5871f5bf7207436 /src/README.UPDATING
parente74376d84aa63876c9a3b240513b8f38920733b7 (diff)
OpenSSL fixes and backwards compat break.
Drop SSL_clear() after SSL_new() which causes protocol negotiation failures for TLS1.0 vs TLS1.1/1.2 in OpenSSL 1.0.1b. Remove SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (+dont_insert_empty_fragments) from default of openssl_options.
Diffstat (limited to 'src/README.UPDATING')
-rw-r--r--src/README.UPDATING16
1 files changed, 16 insertions, 0 deletions
diff --git a/src/README.UPDATING b/src/README.UPDATING
index 3dff7c094..5b6bea869 100644
--- a/src/README.UPDATING
+++ b/src/README.UPDATING
@@ -47,6 +47,22 @@ Exim version 4.78
"openssl_options" gains "no_tlsv1_1", "no_tlsv1_2" and "no_compression".
+ COMPATIBILITY WARNING: The default value of "openssl_options" is no longer
+ "+dont_insert_empty_fragments". We default to unset. That old default was
+ grandfathered in from before openssl_options became a configuration option.
+ Empty fragments are inserted by default through TLS1.0, to partially defend
+ against certain attacks; TLS1.1+ change the protocol so that this is not
+ needed. The DIEF SSL option was required for some old releases of mail
+ clients which did not gracefully handle the empty fragments, and was
+ initially set in Exim release 4.31 (see ChangeLog, item 37).
+
+ If you still have affected mail-clients, and you see SSL protocol failures
+ with this release of Exim, set:
+ openssl_options = +dont_insert_empty_fragments
+ in the main section of your Exim configuration file. You're trading off
+ security for compatibility. Exim is now defaulting to higher security and
+ rewarding more modern clients.
+
* Ldap lookups returning multi-valued attributes now separate the attributes
with only a comma, not a comma-space sequence. Also, an actual comma within
a returned attribute is doubled. This makes it possible to parse the