From af3498d60d7cae92d50e56353ae19f304b84e6ca Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Thu, 17 May 2012 01:32:13 -0400 Subject: Guards for older releases of GnuTLS. gnutls_sec_param_to_pk_bits() and gnutls_rnd() are both new as of GnuTLS 2.12.x. Guard their usage on 2.12.0+ at compile time. In older versions, the vaguely_random_number() function just immediately calls the fallback, so it's the same as before this change (just one extra indirection in the code-path). Define a constant of 1024 for dh-bits for use in those old releases where GnuTLS won't tell us how many we should use. Change the on-disk filename for generated D-H params again, replacing the -normal with -, so that it's 1024 or whatever, and as the value changes, Exim will automatically start using the new value. --- doc/doc-txt/ChangeLog | 1 + doc/doc-txt/NewStuff | 3 +++ 2 files changed, 4 insertions(+) (limited to 'doc/doc-txt') diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index ff463b1a4..a93041e62 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -106,6 +106,7 @@ PP/25 Revamped GnuTLS support, passing tls_require_ciphers to gnutls_priority_init, ignoring Exim options gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols (no longer supported). Added SNI support via GnuTLS too. + Made ${randint:..} supplier available, if using not-too-old GnuTLS. PP/26 Added EXPERIMENTAL_OCSP for OpenSSL. diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 82eaeb73b..7b3b5aff0 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -80,6 +80,9 @@ Version 4.78 SNI support has been added to Exim's GnuTLS integration too. + For sufficiently recent GnuTLS libraries, ${randint:..} will now use + gnutls_rnd(), asking for GNUTLS_RND_NONCE level randomness. + 12. With OpenSSL, if built with EXPERIMENTAL_OCSP, a new option tls_ocsp_file is now available. If the contents of the file are valid, then Exim will send that back in response to a TLS status request; this is OCSP Stapling. -- cgit v1.2.3