| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
With openssl installed by brew on macOS, OpenSSL headers are not in a
normal place. I can fiddle with LDFLAGS/CPPFLAGS to get them available,
but then the `./configure` step succeeds and build fails.
Propagating the CPPFLAGS into the generated Makefile lets the build
succeed and we get a `client-ssl` binary output.
|
|
MacStadium are providing us with free Mac Mini hosting as part of their
FOSS support. I'm about to set it up. Let's have out-of-repo tuning in
place before I begin.
|
|
|
|
|
|
Patch from Matthias, with additional code indentation tweaks from JGH
|
|
I've created a homebrew tap with sdop and xfpt in it, so I can install
those more easily on macOS in the future, and now have bothered actually
building the docs. `.url()` should have been `&url()` in two places.
The `make spec.pdf` pipeline yields a document where those are not
clickable links, but if i use `make spec.ps` and let macOS auto-convert
to PDF upon open, those are proper clickable hyperlinks. So this switch
is definitely for the better.
|
|
|
|
|
|
I got a cookie-cutter email from folks noting the modssl.org doc links
were broken and asking us to use their site instead, which was both
helpful and a rather heavy page with advertising on it, so not something
I want our docs to link to.
Fixed the modssl link to point to the correct current Apache docs, since
mod_ssl has not been a separate project for … a very long time.
Audited every `http:` link in the Spec, replacing with https if
available, updating URLs as needed, or trimming deadwood as appropriate.
This did edit one license text, but in a way which I believe is
reasonable and in the license holder's best interests.
* Use comments with a datestamp for any remaining http: URLs, showing
when they were last audited
* Suggest migrating away from Berkeley DB.
* Drop mention of a patched `pam_unix` module which is no longer available.
* In revamping the CDB tools links, add my own tools.
* Redo the intro text for the mod_ssl stuff (first person voice of PH).
* Rescorla's book's online examples appear to be gone; drop mention of
them and point to Ristić's more recent book too.
* Point to wikipedia list of DNSxL services as an overview, in part
because I dropped the reference to the defunct rfc-ignorant.org and
there was no good candidate as an exemplar for domain-based lists.
* Note that mksd is a candidate for removal from Exim since mks_vir
is dead.
* Drop LogReport/lire reference (dead/gone and can't find it).
* Redo proxy protocol spec-linking text.
* Replace FAQ A1701 with text saying "don't do that" (self-signed certs)
and just telling people to use a CA instead, pointing strongly to
Let's Encrypt. We did nobody any favors with that old text still
being present today (it was entirely appropriate when written).
|
|
|
|
|
|
arc4random_stir should not be used directly (it's fully automated after
FreeBSD r227520, or approximately __FreeBSD_version 1000002), the
interface will be removed from FreeBSD soon (bugs.freebsd.org/230756).
Patch was from bugs.freebsd.org/230826.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Before, it was just dropped, but we document that it's replaced by ?.
Tests updated, manual test-case for -be prompt is:
${utf8clean:${length_1:フィル}}
|
|
|
|
Bug 2296
|
|
|
|
Incorrect at introduction in 71c158466d.
|
|
|
|
Have `exim -n -bP macro FOO` just print the value of the macro `FOO`,
without the `name=` prefix.
This is the same handling as used for option values.
If the invoker asks for multiple macros in one invocation, with `-n`,
then that's their problem.
|
|
|
|
|
|
Broken-by: c4b57fddca
|
|
Missed from 611b1961b8.
|
|
|
|
|
|
|
|
While technically an implementation can choose to use a public TA from
DNS or elsewhere to populate a missing TA from the chain, that creates
interoperability issues and the OpenSSL integration code, at least,
doesn't support that and after a bit of work drilling through layers of
abstraction, I've not figured out what GnuTLS does and I've decided I
don't care.
So I'm heeding Viktor's advice and changing the docs to just say to
publish the TA in the chain sent by the server.
|
|
|
|
Very few domains are using SHA-1 in EE certs issued from a CA used in
DANE-TA anchoring, but some are. Meanwhile apparently GnuTLS now
defaults to disabling SHA-1 in chains. Which is eminently reasonable.
I do not believe that Exim should re-enable use of SHA-1 here. Let it
die. Document with warnings that folks using a private CA for certs to
be publicly trusted via DANE-TA should follow decent operational
issuance practices.
Also update my Channel Binding docs for GSASL to warn that Channel
Binding is Broken™.
|
|
|
|
|
|
Following discussions on the exim-user mailinglist it seems that the conclusion
that the interface was nonfunctioning was unwarranted.
|
|
|
|
|
