diff options
author | Phil Pennock <pdp@exim.org> | 2012-05-28 01:11:48 -0400 |
---|---|---|
committer | Phil Pennock <pdp@exim.org> | 2012-05-28 01:11:48 -0400 |
commit | 3ecab1575ef1f45a5e7cd3c48cd937ffa8eb0ad9 (patch) | |
tree | b12a012b6aa387392d01990b8627f0b0859a4bf0 /src/README.UPDATING | |
parent | 4789da3a20432b8ce9cdccfb0713c027f91447c9 (diff) | |
parent | f0f5a555bee153477d12bcbce90875d46884281c (diff) | |
download | exim4-3ecab1575ef1f45a5e7cd3c48cd937ffa8eb0ad9.tar.gz |
Merge openssl_disable_ssl2 branchexim-4_80_RC7
Diffstat (limited to 'src/README.UPDATING')
-rw-r--r-- | src/README.UPDATING | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/README.UPDATING b/src/README.UPDATING index 6a820bc7c..d34dec1e1 100644 --- a/src/README.UPDATING +++ b/src/README.UPDATING @@ -43,6 +43,12 @@ Exim version 4.80 the message. No tool has been provided as we believe this is a rare occurence. + * For OpenSSL, SSLv2 is now disabled by default. (GnuTLS does not support + SSLv2). RFC 6176 prohibits SSLv2 and some informal surveys suggest no + actual usage. You can re-enable with the "openssl_options" Exim option, + in the main configuration section. Note that supporting SSLv2 exposes + you to ciphersuite downgrade attacks. + * With OpenSSL 1.0.1+, Exim now supports TLS 1.1 and TLS 1.2. If built against 1.0.1a then you will get a warning message and the "openssl_options" value will not parse "no_tlsv1_1": the value changes @@ -52,8 +58,9 @@ Exim version 4.80 "openssl_options" gains "no_tlsv1_1", "no_tlsv1_2" and "no_compression". COMPATIBILITY WARNING: The default value of "openssl_options" is no longer - "+dont_insert_empty_fragments". We default to unset. That old default was - grandfathered in from before openssl_options became a configuration option. + "+dont_insert_empty_fragments". We default to "+no_sslv2". + That old default was grandfathered in from before openssl_options became a + configuration option. Empty fragments are inserted by default through TLS1.0, to partially defend against certain attacks; TLS1.1+ change the protocol so that this is not needed. The DIEF SSL option was required for some old releases of mail |