| Age | Commit message (Collapse) | Author |
|---|
|
Note how to test strings, provide examples which distinguish port 25 from other ports.
Carefully used short examples, but allows two different strings per implementation
and demonstrates how the strings are very different.
|
|
Fixes the output of 'ls' command to a standard format (test 345).
|
|
|
|
|
|
|
|
With this, src/EDITME as Local/Makefile *only* needs EXIM_USER to be
set and EXIM_MONITOR commented out for Exim to build on my box.
I think this is a reasonable default; if there are releases of PCRE which
do not include pcre-config, then on those boxes a slight change will be
needed, but only where the file was already having to be edited anyway.
|
|
|
|
|
|
This reverts commit 8dedb69a41c30fd82ab6e084fe567f7ee7aaa562.
Kills testcase 0137.
|
|
|
|
Report and point to fix from Dennis Davis.
|
|
Rough text per suggestion from Tony.
Amended ACKNOWLEDGEMENTS briefly, but need to actually add people. Like, er, me.
|
|
gnutls_dh_params_export_pkcs3() returns 2 different sizes.
NUL observed by Janne Snabb
|
|
|
|
|
|
Pull in <features.h> on Linux.
Switch readconf log from D_all (bug) to D_tls (though D_any would have
worked).
Modified runtest to handle clamped DH bits and
tls_validate_require_cipher added debug logging.
|
|
|
|
gnutls-params bits count no longer necessarily what GnuTLS says to use.
The OpenSSL-vs-GnuTLS text needed some updating.
Catches a ChangeLog addition made during the previous commit, so not picked up by it.
|
|
Janne Snabb tracked down the GnuTLS 2.12 vs NSS (Thunderbird) interop
problems to a hard-coded limit of 2236 bits for DH in NSS while GnuTLS
was suggesting 2432 bits as normal.
Added new global option tls_dh_max_bits to clamp all DH values (client
or server); unexpanded integer. Default value to 2236. Apply to both
GnuTLS and OpenSSL (which requires tls_dh_params for this).
Tired of debugging "SMTP fails TLS" error messages in mailing-lists
caused by OpenSSL library/include clashes, and of finding out I typo'd
in tls_require_ciphers only at the STARTTLS handshake. During readconf,
fork/drop-privs/initialise-TLS-library. In that, if tls_require_ciphers
is set, then validate it.
The validation child will panic if it can't initialise or if
tls_require_ciphers can't be parsed, else it exits 0. If the child
exits anything other than 0, the main Exim process will exit.
|
|
Guarded the callback invocation on OpenSSL having TLS extension support.
Failed to guard the callback definition. Fixed.
Problem spotted by Todd Lyons.
|
|
|
|
|
|
|
|
|
|
Noted by Moritz Wilhelmy.
|
|
|
|
Confirmed typo, rather than QNXism, by grepping tree and finding no
other instances.
Reported by René Berber.
|
|
I omitted log/2025 pending further investigation.
|
|
|
|
test-host installations.
|
|
WANT_DEEPER_PRINTF_CHECKS guards ALMOST_PRINTF being PRINTF_FUNCTION.
Fix some actual issues exposed when I cut down on the spam.
|
|
Report and fix from Michael Haardt.
The resolver library change's assumed typedef was absent, but the
underlying struct __res_state is present. Long type issues for the
arithmetic changes.
|
|
|
|
|
|
Only crash-plausible issue would require the Cambridge-specific
iplookup router and a misconfiguration.
Report from Marcin Mirosław
|
|
New cert1 and cert2 but I'd only updated the GnuTLS tests.
This fixes OpenSSL ones too.
The SHELL vs /bin/sh one also fixed, finally realised that
the test output just hadn't been updated to match the munging.
|
|
Base text from Wolfgang Breyha.
I went over it as someone new to it, to make some obvious-to-experts-but-not-me fixes.
|
|
De-initialised "type" var in stack declaration, so a repeat of this mistake
would lead to an uninitialized variable usage warning which would have blocked
the previous incorrect fix from being committed.
|
|
(stack memory referenced, read-only, out of scope).
Patch from Wolfgang Breyha, report from Stuart Northfield.
|
|
Patch from Janne Snabb.
|
|
Fixed assumption that tls_certificate non-NULL in server when TLS
advertised.
Weakened an !S_ISREG() to an S_ISDIR() to keep the test-suite happy.
Using:
do { rc = gnutls_handshake(state->session);
} while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED));
is contra-indicated when you expect SIGALRM to be able to break you out
of the loop. A little _too_ robust there. Switching last part to:
(rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen)
is rather more productive.
Only test not passing is 2025, which makes major assumptions about
cipher suites and needs to be revisited to see what it's trying to
achieve. We fail the test because we successfully deliver the message
without expected errors, because other ciphersuites are available, since
we're no longer limited to a *very* short list embedded in the Exim
code. That sort of failure I can live with.
|
|
|
|
A couple more cert1/2 strings updated, plus some disambiguating rhubarb.
|
|
|
|
|
|
|
|
Some tests had not been updated for the new cert because they were missing an X= log-line.
Updated those tests now.
|
|
Decided "unknown (reason)" in tls_peerdn was wrong, stripped that, added
replacement guard.
Moved cipherbuf construction to where it makes more sense, where peerdn
is extracted, so that setting the exim vars gets back closer to just
some pointer switching.
Fix missing failure check after handshake in client.
Fix tls.c tls_ungetc() and friends by pointing watermark vars at state
content.
Regenerated test-suite D-H params so we don't have too small values,
which was causing connection rejections.
Test-suite output where new test cert info is logged (there will be a
couple more, when I fix a lingering problem with tls_peerdn being unset
in client log-lines).
Give test-suite client command some --help.
|
|
Mostly care about EXIM_GNUTLS_LIBRARY_LOG_LEVEL for debugging.
If someone screams that we kept the default dh-bits at 1024 for old GnuTLS,
we can point them at EXIM_SERVER_DH_BITS_PRE2_12. The name itself will
tell them to shut up and update their library if they care about security. :)
|
|
Updated all files modified in 2012 which contained a copyright year
already, unless the range was specified as open-ended.
vi $(git whatchanged --since=2012-01-01 | grep '^:100' | sed 's/^[^M]*M//' | sort -u | fgrep -v test/)
|
