diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/doc-docbook/spec.xfpt | 16 | ||||
-rw-r--r-- | doc/doc-txt/ChangeLog | 3 | ||||
-rw-r--r-- | doc/doc-txt/NewStuff | 10 | ||||
-rw-r--r-- | doc/doc-txt/OptionLists.txt | 1 |
4 files changed, 30 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index dcf6b6cfb..f23c42afb 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -12825,6 +12825,9 @@ listed in more than one group. .section "TLS" "SECID108" .table2 .row &%gnutls_compat_mode%& "use GnuTLS compatibility mode" +.new +.row &%gnutls_enable_pkcs11%& "allow GnuTLS to autoload PKCS11 modules" +.wen .row &%openssl_options%& "adjust OpenSSL compatibility options" .row &%tls_advertise_hosts%& "advertise TLS to these hosts" .row &%tls_certificate%& "location of server certificate" @@ -13853,6 +13856,19 @@ This option controls whether GnuTLS is used in compatibility mode in an Exim server. This reduces security slightly, but improves interworking with older implementations of TLS. + +.new +option gnutls_enable_pkcs11 main boolean unset +This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with +the p11-kit configuration files in &_/etc/pkcs11/modules/_&. + +See +&url(http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs) +for documentation. +.wen + + + .option headers_charset main string "see below" This option sets a default character set for translating from encoded MIME &"words"& in header lines, when referenced by an &$h_xxx$& expansion item. The diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 34521098e..8fa9621bd 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -44,6 +44,9 @@ NM/01 Bugzilla 1197 - Spec typo JH/03 Add expansion operators ${listnamed:name} and ${listcount:string} +PP/09 Add gnutls_enable_pkcs11 option. + + Exim version 4.80 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 6d64faa00..c56256bdd 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -87,6 +87,16 @@ Version 4.81 8. New expansion operators ${listnamed:name} to get the content of a named list and ${listcount:string} to count the items in a list. + 9. New global option "gnutls_enable_pkcs11", defaults false. The GnuTLS + rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11 + modules. For some situations this is desirable, but we expect admin in + those situations to know they want the feature. More commonly, it means + that GUI user modules get loaded and are broken by the setuid Exim being + unable to access files specified in environment variables and passed + through, thus breakage. So we explicitly inhibit the PKCS11 initialisation + unless this new option is set. + + Version 4.80 ------------ diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 1c7881e76..05074bba7 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -243,6 +243,7 @@ gecos_name string* unset main gecos_pattern string unset main gethostbyname boolean false smtp gnutls_compat_mode boolean unset main 4.70 +gnutls_enable_pkcs11 boolean false main 4.81 gnutls_require_kx string* unset main 4.67 deprecated, warns string* unset smtp 4.67 deprecated, warns gnutls_require_mac string* unset main 4.67 deprecated, warns |