| Age | Commit message (Collapse) | Author |
|---|
|
Pulled from Debian 30_dontoverridecflags.dpatch by Andreas Metzler.
We just add CFLAGS_DYNAMIC too and some comments.
Non-POSIX syntax, but fairly portable; GNU make gained it in 1998,
we believe even very old systems should handle it fine.
|
|
GnuTLS 2.12.0 adds PKCS11 support using p11-kit and by default will
autoload modules, which interoperates badly with GNOME keyring
integration, configured via paths in environment variables, and Exim
invoked by the user (eg, mailq) will then try to load the modules, fail
and spew warnings from the module for a library loaded by a library.
http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs
documents that to prevent this, explicitly init PKCS11 before calling
gnutls_global_init(). So we do so, unless the admin sets the new
option.
Reported by Andreas Metzler, who confirmed that the added calls fixed
the problem for him.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
fixes bug 1117
|
|
These are for Sendmail compatibility.
bug 1117
|
|
|
|
|
|
|
|
|
|
Also fix doc claim that value is unexpanded.
Also strip affix whitespace before numeric conversion and fixed string comparison.
|
|
|
|
|
|
|
|
Could not find an API for use with OpenSSL, so GnuTLS only
|
|
|
|
|
|
Also, drop fix one place which claimed TLS SNI support was OpenSSL only.
|
|
This reverts commit 83f4c7515f3eb06dc070e78edd2694c1d088e5fd.
This was not a new check! The call to gnutls_dh_set_prime_bits() was
made with DH_BITS in Exim 4.77, so the only difference is that now an
administrator can choose at compile time to change the lower bound.
So keeping this at 1024 is not a regression and if we can't talk to them
now, we couldn't before, and we shouldn't lower security by default.
The reverted commit was only acceptable IF it was still better than what
we had in Exim 4.77.
|
|
Wolfgang Breyha saw a real-world site using 768 bits.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Exim thought protection layer was required, which is not implemented.
Patch from Wolfgang Breyha.
Fixes bug 1254
|
|
Ignore more build side effects
|
|
_ISOC99_SOURCE broke build on Linux (Ubuntu 11.10) because it broke <resolv.h>, <arpa/nameser.h>, etc.
Their u_char and u_int usage relies upon BSD source being enabled too. So use _GNU_SOURCE.
|
|
Done before os.h is pulled in so an OS can override it.
|
|
|
|
|
|
|
|
Note how to test strings, provide examples which distinguish port 25 from other ports.
Carefully used short examples, but allows two different strings per implementation
and demonstrates how the strings are very different.
|
|
|
|
|
|
|
|
Pull in <features.h> on Linux.
Switch readconf log from D_all (bug) to D_tls (though D_any would have
worked).
Modified runtest to handle clamped DH bits and
tls_validate_require_cipher added debug logging.
|
|
gnutls-params bits count no longer necessarily what GnuTLS says to use.
The OpenSSL-vs-GnuTLS text needed some updating.
Catches a ChangeLog addition made during the previous commit, so not picked up by it.
|
|
Janne Snabb tracked down the GnuTLS 2.12 vs NSS (Thunderbird) interop
problems to a hard-coded limit of 2236 bits for DH in NSS while GnuTLS
was suggesting 2432 bits as normal.
Added new global option tls_dh_max_bits to clamp all DH values (client
or server); unexpanded integer. Default value to 2236. Apply to both
GnuTLS and OpenSSL (which requires tls_dh_params for this).
Tired of debugging "SMTP fails TLS" error messages in mailing-lists
caused by OpenSSL library/include clashes, and of finding out I typo'd
in tls_require_ciphers only at the STARTTLS handshake. During readconf,
fork/drop-privs/initialise-TLS-library. In that, if tls_require_ciphers
is set, then validate it.
The validation child will panic if it can't initialise or if
tls_require_ciphers can't be parsed, else it exits 0. If the child
exits anything other than 0, the main Exim process will exit.
|
