From 8e53a4fc1a0790138a5b460da7d9c621f6d32622 Mon Sep 17 00:00:00 2001 From: "Heiko Schlittermann (HS12-RIPE)" Date: Fri, 2 Dec 2016 14:32:08 +0100 Subject: OpenSSL: default to tls_eccurve = auto For OpenSSL < 1.0.2: fallback to prime256v1, for newer libraries rely on auto-selection. --- doc/doc-docbook/spec.xfpt | 18 ++++++++++-------- doc/doc-txt/ChangeLog | 2 ++ 2 files changed, 12 insertions(+), 8 deletions(-) (limited to 'doc') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index c3fc1fb21..ce64fd405 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17139,17 +17139,19 @@ prior to the 4.80 release, as Debian used to patch Exim to raise the minimum acceptable bound from 1024 to 2048. -.option tls_eccurve main string&!! prime256v1 +.option tls_eccurve main string&!! &`auto`& .cindex TLS "EC cryptography" -If built with a recent-enough version of OpenSSL, -this option selects a EC curve for use by Exim. +This option selects a EC curve for use by Exim. -Curve names of the form &'prime256v1'& are accepted. -For even more-recent library versions, names of the form &'P-512'& -are also accepted, plus the special value &'auto'& -which tells the library to choose. +After expansion it must contain a valid EC curve parameter, such as +&`prime256v1`&, &`secp384r1`&, or &`P-512`&. Consult your OpenSSL manual +for valid selections. -If the option is set to an empty string, no EC curves will be enabled. +For OpenSSL versions before (and not including) 1.0.2, the string +&`auto`& selects &`prime256v1`&. For more recent OpenSSL versions +&`auto`& tells the library to choose. + +If the option expands to an empty string, no EC curves will be enabled. .option tls_ocsp_file main string&!! unset diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 6532b1ced..156413fcd 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -140,6 +140,8 @@ HS/01 Fix leak in verify callout under GnuTLS, about 3MB per recipient on HS/02 Bug 1802: Do not half-close the connection after sending a request to rspamd. +HS/03 Use "auto" as the default EC curve parameter. For OpenSSL < 1.0.2 + fallback to "prime256v1". Exim version 4.87 ----------------- -- cgit v1.2.3