From 83e2f8a2515d1cd787ac68b052f6e4539dd48752 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Thu, 17 May 2012 11:17:20 -0400 Subject: Handle absent tls_require_ciphers correctly. Fix test-suite certs to not use MD5. Document that we do not support MD5 certs any longer. Make test-suite generate probably-correct gnutls-params filename for us. --- src/README.UPDATING | 10 +++++++++- src/src/tls-gnu.c | 9 +++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/README.UPDATING b/src/README.UPDATING index 81e767efe..a91794d6c 100644 --- a/src/README.UPDATING +++ b/src/README.UPDATING @@ -26,9 +26,12 @@ The rest of this document contains information about changes in 4.xx releases that might affect a running system. -Exim version 4.78 +Exim version 4.80 ----------------- + * BEWARE backwards-incompatible changes in SSL libraries, thus the version + bump. See points below for details. + * The value of $tls_peerdn is now print-escaped when written to the spool file in a -tls_peerdn line, and unescaped when read back in. We received reports of values with embedded newlines, which caused spool file corruption. @@ -96,6 +99,11 @@ Exim version 4.78 parsing entirely and the presence of the options will be a configuration error. + Note that by default, GnuTLS will not accept RSA-MD5 signatures in chains. + A tls_require_ciphers value of NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5 may + re-enable support, but this is not supported by the Exim maintainers. + Our test suite no longer includes MD5-based certificates. + This rewrite means that Exim will continue to build against GnuTLS in the future, brings Exim closer to other GnuTLS applications and lets us add support for SNI and other features more readily. We regret that it wasn't diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index a0a35b447..2f50787c2 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -698,6 +698,12 @@ if (state->tls_verify_certificates && *state->tls_verify_certificates) return OK; } } +else + { + DEBUG(D_tls) + debug_printf("TLS: tls_verify_certificates not set or empty, ignoring\n"); + return OK; + } if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0) { @@ -939,6 +945,9 @@ if (state->tls_require_ciphers && *state->tls_require_ciphers) } if (want_default_priorities) { + DEBUG(D_tls) + debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", + exim_default_gnutls_priority); rc = gnutls_priority_init(&state->priority_cache, exim_default_gnutls_priority, &errpos); p = US exim_default_gnutls_priority; -- cgit v1.2.3