that might affect a running system.
+Exim version 4.82
+-----------------
+
+ * New option gnutls_enable_pkcs11 defaults false; if you have GnuTLS 2.12.0
+ or later and do want PKCS11 modules to be autoloaded, then set this option.
+
+ * A per-transport wait-<name> database is no longer updated if the transport
+ sets "connection_max_messages" to 1, as it can not be used and causes
+ unnecessary serialisation and load. External tools tracking the state of
+ Exim by the hints databases may need modification to take this into account.
+
+ * The av_scanner option can now accept multiple clamd TCP targets, all other
+ setting limitations remain.
+
+
Exim version 4.80
-----------------
the message. No tool has been provided as we believe this is a rare
occurence.
+ * For OpenSSL, SSLv2 is now disabled by default. (GnuTLS does not support
+ SSLv2). RFC 6176 prohibits SSLv2 and some informal surveys suggest no
+ actual usage. You can re-enable with the "openssl_options" Exim option,
+ in the main configuration section. Note that supporting SSLv2 exposes
+ you to ciphersuite downgrade attacks.
+
* With OpenSSL 1.0.1+, Exim now supports TLS 1.1 and TLS 1.2. If built
against 1.0.1a then you will get a warning message and the
"openssl_options" value will not parse "no_tlsv1_1": the value changes
"openssl_options" gains "no_tlsv1_1", "no_tlsv1_2" and "no_compression".
COMPATIBILITY WARNING: The default value of "openssl_options" is no longer
- "+dont_insert_empty_fragments". We default to unset. That old default was
- grandfathered in from before openssl_options became a configuration option.
+ "+dont_insert_empty_fragments". We default to "+no_sslv2".
+ That old default was grandfathered in from before openssl_options became a
+ configuration option.
Empty fragments are inserted by default through TLS1.0, to partially defend
against certain attacks; TLS1.1+ change the protocol so that this is not
needed. The DIEF SSL option was required for some old releases of mail
is instead given to gnutls_priority_init(3), which expects a priority string;
this behaviour is much closer to the OpenSSL behaviour. See:
- http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html
+ http://www.gnutls.org/manual/html_node/Priority-Strings.html
for fuller documentation of the strings parsed. The three gnutls_require_*
options are still parsed by Exim and, for this release, silently ignored.
fail completely. (The check is not done as root, to ensure that problems
here are not made worse by the check).
+ * The "tls_dhparam" option has been updated, so that it can now specify a
+ path or an identifier for a standard DH prime from one of a few RFCs.
+ The default for OpenSSL is no longer to not use DH but instead to use
+ one of these standard primes. The default for GnuTLS is no longer to use
+ a file in the spool directory, but to use that same standard prime.
+ The option is now used by GnuTLS too. If it points to a path, then
+ GnuTLS will use that path, instead of a file in the spool directory;
+ GnuTLS will attempt to create it if it does not exist.
+
+ To preserve the previous behaviour of generating files in the spool
+ directory, set "tls_dhparam = historic". Since prior releases of Exim
+ ignored tls_dhparam when using GnuTLS, this can safely be done before
+ the upgrade.
+
+
Exim version 4.77
-----------------