From a5f239e4959d4df6a4a341d8855e14d17399d671 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Sun, 24 Jun 2012 02:55:29 -0700 Subject: Add gnutls_enable_pkcs11 option. GnuTLS 2.12.0 adds PKCS11 support using p11-kit and by default will autoload modules, which interoperates badly with GNOME keyring integration, configured via paths in environment variables, and Exim invoked by the user (eg, mailq) will then try to load the modules, fail and spew warnings from the module for a library loaded by a library. http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs documents that to prevent this, explicitly init PKCS11 before calling gnutls_global_init(). So we do so, unless the admin sets the new option. Reported by Andreas Metzler, who confirmed that the added calls fixed the problem for him. --- doc/doc-txt/NewStuff | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'doc/doc-txt/NewStuff') diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 6d64faa00..c56256bdd 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -87,6 +87,16 @@ Version 4.81 8. New expansion operators ${listnamed:name} to get the content of a named list and ${listcount:string} to count the items in a list. + 9. New global option "gnutls_enable_pkcs11", defaults false. The GnuTLS + rewrite in 4.80 combines with GnuTLS 2.12.0 or later, to autoload PKCS11 + modules. For some situations this is desirable, but we expect admin in + those situations to know they want the feature. More commonly, it means + that GUI user modules get loaded and are broken by the setuid Exim being + unable to access files specified in environment variables and passed + through, thus breakage. So we explicitly inhibit the PKCS11 initialisation + unless this new option is set. + + Version 4.80 ------------ -- cgit v1.2.3