gnutls_compat_mode to allow compatibility with broken clients. fixes: #665

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index db8de08055ebb3d0c5e014649a9acf8811e6022c..9541d6e061fa51206df5a92c717a5fc86a381545 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -1,4 +1,4 @@
-. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.58 2009/10/16 08:52:05 tom Exp $
+. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.59 2009/10/16 09:51:12 nm4 Exp $
 .
 . /////////////////////////////////////////////////////////////////////////////
 . This is the primary source of the Exim Manual. It is an xfpt document that is
@@ -12368,6 +12368,7 @@ listed in more than one group.
 .row &%gnutls_require_kx%&           "control GnuTLS key exchanges"
 .row &%gnutls_require_mac%&          "control GnuTLS MAC algorithms"
 .row &%gnutls_require_protocols%&    "control GnuTLS protocols"
+.row &%gnutls_compat_mode%&          "use GnuTLS compatibility mode"
 .row &%tls_advertise_hosts%&         "advertise TLS to these hosts"
 .row &%tls_certificate%&             "location of server certificate"
 .row &%tls_crl%&                     "certificate revocation list"
@@ -13367,6 +13368,11 @@ server. For details, see section &<<SECTreqciphgnu>>&.
 This option controls the protocols when GnuTLS is used in an Exim
 server. For details, see section &<<SECTreqciphgnu>>&.
 
+.option gnutls_compat_mode main boolean unset
+This option controls whether GnuTLS is used in compatibility mode in an Exim
+server. This reduces security slightly, but improves interworking with older
+implementations of TLS.
+
 
 .option headers_charset main string "see below"
 This option sets a default character set for translating from encoded MIME
@@ -21467,6 +21473,11 @@ client. For details, see section &<<SECTreqciphgnu>>&.
 This option controls the protocols when GnuTLS is used in an Exim
 client. For details, see section &<<SECTreqciphgnu>>&.
 
+.option gnutls_compat_mode main boolean unset
+This option controls whether GnuTLS is used in compatibility mode in an Exim
+server. This reduces security slightly, but improves interworking with older
+implementations of TLS.
+
 .option helo_data smtp string&!! "see below"
 .cindex "HELO" "argument, setting"
 .cindex "EHLO" "argument, setting"

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index e7db600034468fc6bf4af20caa7324ab06f0e9d5..6153e000b13934d39c1cbdf1a07b664ee5dd109e 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.569 2009/10/14 14:48:41 nm4 Exp $
+$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.570 2009/10/16 09:51:12 nm4 Exp $
 
 Change log file for Exim from version 4.21
 -------------------------------------------
@@ -111,6 +111,9 @@ NM/19 Bugzilla 745: TLS version reporting
 NM/20 Bugzilla 167: bool: condition support
       Patch provided by Phil Pennock
 
+NM/21 Bugzilla 665: gnutls_compat_mode to allow compatibility with broken clients
+      Patch provided by Phil Pennock
+
 
 Exim version 4.69
 -----------------

diff --git a/src/src/globals.c b/src/src/globals.c
index 98e1da5d62915b1375661f0a721694750e22c817..b40e8e9dcfca015113877a7528f3208c50019858 100644 (file)
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/globals.c,v 1.84 2009/10/15 08:27:37 tom Exp $ */
+/* $Cambridge: exim/src/src/globals.c,v 1.85 2009/10/16 09:51:12 nm4 Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -111,6 +111,7 @@ uschar *tls_on_connect_ports   = NULL;
 uschar *tls_peerdn             = NULL;
 
 #ifdef SUPPORT_TLS
+BOOL    gnutls_compat_mode     = FALSE;
 uschar *gnutls_require_mac     = NULL;
 uschar *gnutls_require_kx      = NULL;
 uschar *gnutls_require_proto   = NULL;

diff --git a/src/src/globals.h b/src/src/globals.h
index 04a030bab56a07f61b410918cc96f45941cecc92..a50d1b469d792e04cc761b2a336004ded3bc375a 100644 (file)
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/globals.h,v 1.65 2009/10/15 08:27:37 tom Exp $ */
+/* $Cambridge: exim/src/src/globals.h,v 1.66 2009/10/16 09:51:12 nm4 Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -71,6 +71,7 @@ extern uschar *tls_on_connect_ports;   /* Ports always tls-on-connect */
 extern uschar *tls_peerdn;             /* DN from peer */
 
 #ifdef SUPPORT_TLS
+extern BOOL    gnutls_compat_mode;     /* Less security, more compatibility */
 extern uschar *gnutls_require_mac;     /* So some can be avoided */
 extern uschar *gnutls_require_kx;      /* So some can be avoided */
 extern uschar *gnutls_require_proto;   /* So some can be avoided */

diff --git a/src/src/readconf.c b/src/src/readconf.c
index 1651ecc6ac339dff6c5645a8aad0a6da5f246234..c836d37eb5bcee81b268b07454d9e99d0ac9bcf0 100644 (file)
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/readconf.c,v 1.37 2009/10/16 08:51:34 tom Exp $ */
+/* $Cambridge: exim/src/src/readconf.c,v 1.38 2009/10/16 09:51:12 nm4 Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -235,6 +235,7 @@ static optionlist optionlist_config[] = {
   { "gecos_name",               opt_stringptr,   &gecos_name },
   { "gecos_pattern",            opt_stringptr,   &gecos_pattern },
 #ifdef SUPPORT_TLS
+  { "gnutls_compat_mode",       opt_bool,        &gnutls_compat_mode },
   { "gnutls_require_kx",        opt_stringptr,   &gnutls_require_kx },
   { "gnutls_require_mac",       opt_stringptr,   &gnutls_require_mac },
   { "gnutls_require_protocols", opt_stringptr,   &gnutls_require_proto },

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index c26a9bac6b551677acc7f1a12b91f0465a0652cf..0e90b79082af47e36b8d8109b9b1bed4023d016c 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/src/src/tls-gnu.c,v 1.22 2009/10/14 13:52:48 nm4 Exp $ */
+/* $Cambridge: exim/src/src/tls-gnu.c,v 1.23 2009/10/16 09:51:12 nm4 Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
@@ -792,6 +792,18 @@ if (verify_requirement != VERIFY_NONE)
 
 gnutls_db_set_cache_expiration(session, ssl_session_timeout);
 
+/* Reduce security in favour of increased compatibility, if the admin
+decides to make that trade-off. */
+if (gnutls_compat_mode)
+  {
+#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
+  DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
+  gnutls_session_enable_compatibility_mode(session);
+#else
+  DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
+#endif
+  }
+
 DEBUG(D_tls) debug_printf("initialized GnuTLS session\n");
 return session;
 }