From 2043336d393ea7725942b5be81b486b214eb7b9e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 13 Nov 2019 12:23:28 +0000 Subject: OpenSSL: when supported by the library version, disable renegotiation for pre-TLS1.3 --- doc/doc-docbook/spec.xfpt | 2 +- doc/doc-txt/ChangeLog | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 6b2d97b17..ceb377b0a 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16289,7 +16289,7 @@ harm. This option overrides the &%pipe_as_creator%& option of the &(pipe)& transport driver. -.option openssl_options main "string list" "+no_sslv2 +no_sslv3 +single_dh_use +no_ticket" +.option openssl_options main "string list" "+no_sslv2 +no_sslv3 +single_dh_use +no_ticket +no_renegotiation" .cindex "OpenSSL "compatibility options" This option allows an administrator to adjust the SSL options applied by OpenSSL to connections. It is given as a space-separated list of items, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index ac7f3357d..c5b2ca2d8 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -200,6 +200,10 @@ JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted buffer was used for the filename, resulting in a trap when tainted arguments (eg. $domain) were used. +JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below; + recommended to avoid a possible server-load attack. The feature can be + re-enabled via the openssl_options main cofiguration option. + Exim version 4.92 ----------------- -- cgit v1.2.3