diff options
author | Phil Pennock <pdp@exim.org> | 2012-05-20 21:49:40 -0400 |
---|---|---|
committer | Phil Pennock <pdp@exim.org> | 2012-05-20 21:49:40 -0400 |
commit | 3375e053c40dacf62a7eac02d52438a43398c053 (patch) | |
tree | 47d77126f289bf20d0068f5acdea4cbe382f92d8 /src/README.UPDATING | |
parent | 3bcbbbe2697819d248259b1938ffd52d2bf4090b (diff) | |
download | exim4-3375e053c40dacf62a7eac02d52438a43398c053.tar.gz |
Added tls_dh_max_bits & check tls_require_ciphers early.
Janne Snabb tracked down the GnuTLS 2.12 vs NSS (Thunderbird) interop
problems to a hard-coded limit of 2236 bits for DH in NSS while GnuTLS
was suggesting 2432 bits as normal.
Added new global option tls_dh_max_bits to clamp all DH values (client
or server); unexpanded integer. Default value to 2236. Apply to both
GnuTLS and OpenSSL (which requires tls_dh_params for this).
Tired of debugging "SMTP fails TLS" error messages in mailing-lists
caused by OpenSSL library/include clashes, and of finding out I typo'd
in tls_require_ciphers only at the STARTTLS handshake. During readconf,
fork/drop-privs/initialise-TLS-library. In that, if tls_require_ciphers
is set, then validate it.
The validation child will panic if it can't initialise or if
tls_require_ciphers can't be parsed, else it exits 0. If the child
exits anything other than 0, the main Exim process will exit.
Diffstat (limited to 'src/README.UPDATING')
-rw-r--r-- | src/README.UPDATING | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/src/README.UPDATING b/src/README.UPDATING index 7ce35dff8..e685b8ec3 100644 --- a/src/README.UPDATING +++ b/src/README.UPDATING @@ -66,6 +66,11 @@ Exim version 4.80 security for compatibility. Exim is now defaulting to higher security and rewarding more modern clients. + If the option tls_dhparams is set and the parameters loaded from the file + have a bit-count greater than the new option tls_dh_max_bits, then the file + will now be ignored. If this affects you, raise the tls_dh_max_bits limit. + We suspect that most folks are using dated defaults and will not be affected. + * Ldap lookups returning multi-valued attributes now separate the attributes with only a comma, not a comma-space sequence. Also, an actual comma within a returned attribute is doubled. This makes it possible to parse the @@ -111,6 +116,25 @@ Exim version 4.80 support for SNI and other features more readily. We regret that it wasn't feasible to retain the three dropped options. + * If built with TLS support, then Exim will now validate the value of + the main section tls_require_ciphers option at start-up. Before, this + would cause a STARTTLS 4xx failure, now it causes a failure to start. + Running with a broken configuration which causes failures that may only + be left in the logs has been traded off for something more visible. This + change makes an existing problem more prominent, but we do not believe + anyone would deliberately be running with an invalid tls_require_ciphers + option. + + This also means that library linkage issues caused by conflicts of some + kind might take out the main daemon, not just the delivery or receiving + process. Conceivably some folks might prefer to continue delivering + mail plaintext when their binary is broken in this way, if there is a + server that is a candidate to receive such mails that does not advertise + STARTTLS. Note that Exim is typically a setuid root binary and given + broken linkage problems that cause segfaults, we feel it is safer to + fail completely. (The check is not done as root, to ensure that problems + here are not made worse by the check). + Exim version 4.77 ----------------- |