From 17c761988f30054827a9951761d93ffeeaad0cb7 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Wed, 16 May 2012 12:15:26 -0400 Subject: Overhaul of GnuTLS code. GnuTLS code re-done, using cut&paste for preservation where appropriate. Stop using deprecated APIs. Stop hard-coding lists of ciphers. Use gnutls_priority_init() instead. Turns tls_require_ciphers into a string in the GnuTLS case, not just OpenSSL case. Deprecate three gnutls_require_* options; now ignored but not errors. (No warnings yet). Added TLS SNI support. Made the channel binding integration theoretically actually work. I had it guarded by an #ifdef but the value used was an enum instead. Oops. Fixed. New code much more amenable to future work permitting TLS in callouts. DH param sizes now chosen by GnuTLS maintainers, we use "normal"; that's suddenly a lot more bits, so the saved filename was changed too. (GNUTLS_SEC_PARAM_NORMAL). DH param setup only done for servers now, since clients don't need/use it. GnuTLS a lot more robust to library negotiation using stuff we don't support, error-ing out quickly for other authentication systems (PGP, etc). Renamed pseudo_random_number() to vaguely_random_number() which makes the nature clearer. GnuTLS now provides a vaguely_random_number() implementation, to match OpenSSL. Pull in to make the recent arithmetic changes compile on MacOS. Nuke test 2011 which related to the gnutls_require_* options now non-functional. --- doc/doc-txt/ChangeLog | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'doc/doc-txt/ChangeLog') diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 7cf2d8791..fdb0074ab 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -102,6 +102,11 @@ PP/24 Fixed headers_only on smtp transports (was not sending trailing dot). JH/02 ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m"). This may cause build issues on older platforms. +PP/25 Revamped GnuTLS support, passing tls_require_ciphers to + gnutls_priority_init, ignoring Exim options gnutls_require_kx, + gnutls_require_mac & gnutls_require_protocols (no longer supported). + Added SNI support via GnuTLS too. + Exim version 4.77 ----------------- -- cgit v1.2.3