X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/c2b063d407d37f6d813cdc4bc9d6a346f071a471..2e5b33cdf3591080e44862951f7c2ac9eced16de:/src/README.UPDATING diff --git a/src/README.UPDATING b/src/README.UPDATING index a15bd418e..d34dec1e1 100644 --- a/src/README.UPDATING +++ b/src/README.UPDATING @@ -43,6 +43,12 @@ Exim version 4.80 the message. No tool has been provided as we believe this is a rare occurence. + * For OpenSSL, SSLv2 is now disabled by default. (GnuTLS does not support + SSLv2). RFC 6176 prohibits SSLv2 and some informal surveys suggest no + actual usage. You can re-enable with the "openssl_options" Exim option, + in the main configuration section. Note that supporting SSLv2 exposes + you to ciphersuite downgrade attacks. + * With OpenSSL 1.0.1+, Exim now supports TLS 1.1 and TLS 1.2. If built against 1.0.1a then you will get a warning message and the "openssl_options" value will not parse "no_tlsv1_1": the value changes @@ -52,8 +58,9 @@ Exim version 4.80 "openssl_options" gains "no_tlsv1_1", "no_tlsv1_2" and "no_compression". COMPATIBILITY WARNING: The default value of "openssl_options" is no longer - "+dont_insert_empty_fragments". We default to unset. That old default was - grandfathered in from before openssl_options became a configuration option. + "+dont_insert_empty_fragments". We default to "+no_sslv2". + That old default was grandfathered in from before openssl_options became a + configuration option. Empty fragments are inserted by default through TLS1.0, to partially defend against certain attacks; TLS1.1+ change the protocol so that this is not needed. The DIEF SSL option was required for some old releases of mail @@ -142,6 +149,21 @@ Exim version 4.80 fail completely. (The check is not done as root, to ensure that problems here are not made worse by the check). + * The "tls_dhparam" option has been updated, so that it can now specify a + path or an identifier for a standard DH prime from one of a few RFCs. + The default for OpenSSL is no longer to not use DH but instead to use + one of these standard primes. The default for GnuTLS is no longer to use + a file in the spool directory, but to use that same standard prime. + The option is now used by GnuTLS too. If it points to a path, then + GnuTLS will use that path, instead of a file in the spool directory; + GnuTLS will attempt to create it if it does not exist. + + To preserve the previous behaviour of generating files in the spool + directory, set "tls_dhparam = historic". Since prior releases of Exim + ignored tls_dhparam when using GnuTLS, this can safely be done before + the upgrade. + + Exim version 4.77 -----------------