From f1be21cf0b8b97a64dfe17f2ca05bb4b9efe8d32 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 3 Feb 2019 22:12:48 +0000 Subject: TLS: add variables for the IETF standard name for the connection ciphersuite (cherry picked from commit ffc3d145e3819e1a3762caa1bbe8b07e723fbaf2) --- doc/doc-docbook/spec.xfpt | 29 ++++++++++++++++++++++------- doc/doc-txt/ChangeLog | 2 ++ doc/doc-txt/NewStuff | 3 +++ 3 files changed, 27 insertions(+), 7 deletions(-) (limited to 'doc') diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 22f06e3c1..bb486d678 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -13347,6 +13347,12 @@ The deprecated &$tls_cipher$& variable is the same as &$tls_in_cipher$& during m but in the context of an outward SMTP delivery taking place via the &(smtp)& transport becomes the same as &$tls_out_cipher$&. +.new +.vitem &$tls_in_cipher_std$& +.vindex "&$tls_in_cipher_std$&" +As above, but returning the RFC standard name for the cipher suite. +.wen + .vitem &$tls_out_cipher$& .vindex "&$tls_out_cipher$&" This variable is @@ -13355,6 +13361,12 @@ and then set to the outgoing cipher suite if one is negotiated. See chapter &<>& for details of TLS support and chapter &<>& for details of the &(smtp)& transport. +,new +.vitem &$tls_out_cipher_std$& +.vindex "&$tls_out_cipher_std$&" +As above, but returning the RFC standard name for the cipher suite. +.wen + .vitem &$tls_out_dane$& .vindex &$tls_out_dane$& DANE active status. See section &<>&. @@ -16585,23 +16597,26 @@ on at the end (preceded by a semicolon). The string is expanded each time it is used. If the expansion yields an empty string, no &'Received:'& header line is added to the message. Otherwise, the string should start with the text &"Received:"& and conform to the RFC 2822 specification for &'Received:'& -header lines. The default setting is: +header lines. +.new +The default setting is: .code received_header_text = Received: \ ${if def:sender_rcvhost {from $sender_rcvhost\n\t}\ - {${if def:sender_ident \ - {from ${quote_local_part:$sender_ident} }}\ - ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ + {${if def:sender_ident \ + {from ${quote_local_part:$sender_ident} }}\ + ${if def:sender_helo_name {(helo=$sender_helo_name)\n\t}}}}\ by $primary_hostname \ - ${if def:received_protocol {with $received_protocol}} \ - ${if def:tls_in_cipher {($tls_in_cipher)\n\t}}\ + ${if def:received_protocol {with $received_protocol }}\ + ${if def:tls_in_cipher_std { tls $tls_in_cipher_std\n\t}}\ (Exim $version_number)\n\t\ ${if def:sender_address \ {(envelope-from <$sender_address>)\n\t}}\ id $message_exim_id\ ${if def:received_for {\n\tfor $received_for}} .endd +.wen The reference to the TLS cipher is omitted when Exim is built without TLS support. The use of conditional expansions ensures that this works for both @@ -27476,7 +27491,7 @@ but is a full SMTP SASL authenticator rather than being implicit for TLS-connection carried client certificates only. -The examples and discussion in this chapter assume that +The examples and discussion in this chapter assume that client-certificate authentication is being done. The client must present a certificate, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index c8f3c586d..bc739ae2c 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -18,6 +18,8 @@ JH/02 OpenSSL: suppress the sending of (stateful) TLS1.3 session tickets. JH/03 Debug output for ACL now gives the config file name and line number for each verb. +JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause. + Exim version 4.92 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 3b5cda15c..ad238f4c7 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -13,6 +13,9 @@ Version 4.93 2. A JSON lookup type, and JSON variants of the forall/any expansion conditions. + 3. Variables $tls_in_cipher_std, $tls_out_cipher_std giving the RFC names + for ciphersuites. + Version 4.92 -------------- -- cgit v1.2.3