summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/doc-docbook/spec.xfpt16
-rw-r--r--doc/doc-txt/ChangeLog3
-rw-r--r--doc/doc-txt/NewStuff10
-rw-r--r--doc/doc-txt/OptionLists.txt1
4 files changed, 30 insertions, 0 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index dcf6b6cfb..f23c42afb 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -12825,6 +12825,9 @@ listed in more than one group.
.section "TLS" "SECID108"
.table2
.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
+.new
+.row &%gnutls_enable_pkcs11%& "allow GnuTLS to autoload PKCS11 modules"
+.wen
.row &%openssl_options%& "adjust OpenSSL compatibility options"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_certificate%& "location of server certificate"
@@ -13853,6 +13856,19 @@ This option controls whether GnuTLS is used in compatibility mode in an Exim
server. This reduces security slightly, but improves interworking with older
implementations of TLS.
+
+.new
+option gnutls_enable_pkcs11 main boolean unset
+This option will let GnuTLS (2.12.0 or later) autoload PKCS11 modules with
+the p11-kit configuration files in &_/etc/pkcs11/modules/_&.
+
+See
+&url(http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs)
+for documentation.
+.wen
+
+
+
.option headers_charset main string "see below"
This option sets a default character set for translating from encoded MIME
&"words"& in header lines, when referenced by an &$h_xxx$& expansion item. The
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 34521098e..8fa9621bd 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -44,6 +44,9 @@ NM/01 Bugzilla 1197 - Spec typo
JH/03 Add expansion operators ${listnamed:name} and ${listcount:string}
+PP/09 Add gnutls_enable_pkcs11 option.
+
+
Exim version 4.80
-----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 6d64faa00..c56256bdd 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -87,6 +87,16 @@ Version 4.81
8. New expansion operators ${listnamed:name} to get the content of a named list
and ${listcount:string} to count the items in a list.
+ 9. New global option "gnutls_enable_pkcs11", defaults false. The GnuTLS
+ rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11
+ modules. For some situations this is desirable, but we expect admin in
+ those situations to know they want the feature. More commonly, it means
+ that GUI user modules get loaded and are broken by the setuid Exim being
+ unable to access files specified in environment variables and passed
+ through, thus breakage. So we explicitly inhibit the PKCS11 initialisation
+ unless this new option is set.
+
+
Version 4.80
------------
diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index 1c7881e76..05074bba7 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -243,6 +243,7 @@ gecos_name string* unset main
gecos_pattern string unset main
gethostbyname boolean false smtp
gnutls_compat_mode boolean unset main 4.70
+gnutls_enable_pkcs11 boolean false main 4.81
gnutls_require_kx string* unset main 4.67 deprecated, warns
string* unset smtp 4.67 deprecated, warns
gnutls_require_mac string* unset main 4.67 deprecated, warns