From: Phil Pennock Date: Mon, 28 May 2012 05:11:48 +0000 (-0400) Subject: Merge openssl_disable_ssl2 branch X-Git-Tag: exim-4_80_RC7^0 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/3ecab1575ef1f45a5e7cd3c48cd937ffa8eb0ad9 Merge openssl_disable_ssl2 branch --- 3ecab1575ef1f45a5e7cd3c48cd937ffa8eb0ad9 diff --cc doc/doc-txt/ChangeLog index 4f8154c7e,6b2b62cdb..6c0554b5a --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@@ -88,81 -86,8 +88,83 @@@ PP/19 DNS resolver init changes for Net Not seeing resolver debug output on NetBSD, but suspect this is a resolver implementation change. -PP/20 Disable SSLv2 by default in OpenSSL support. +PP/20 Revert part of NM/04, it broke log_path containing %D expansions. + Left warnings. Added "eximon gdb" invocation mode. + +PP/21 Defaulting "accept_8bitmime" to true, not false. + +PP/22 Added -bw for inetd wait mode support. + +PP/23 Added PCRE_CONFIG=yes support to Makefile for using pcre-config to + locate the relevant includes and libraries. Made this the default. + +PP/24 Fixed headers_only on smtp transports (was not sending trailing dot). + Bugzilla 1246, report and most of solution from Tomasz Kusy. + +JH/03 ${eval } now uses 64-bit and supports a "g" suffix (like to "k" and "m"). + This may cause build issues on older platforms. + +PP/25 Revamped GnuTLS support, passing tls_require_ciphers to + gnutls_priority_init, ignoring Exim options gnutls_require_kx, + gnutls_require_mac & gnutls_require_protocols (no longer supported). + Added SNI support via GnuTLS too. + Made ${randint:..} supplier available, if using not-too-old GnuTLS. + +PP/26 Added EXPERIMENTAL_OCSP for OpenSSL. + +PP/27 Applied dnsdb SPF support patch from Janne Snabb. + Applied second patch from Janne, implementing suggestion to default + multiple-strings-in-record handling to match SPF spec. + +JH/04 Added expansion variable $tod_epoch_l for a higher-precision time. + +PP/28 Fix DCC dcc_header content corruption (stack memory referenced, + read-only, out of scope). + Patch from Wolfgang Breyha, report from Stuart Northfield. + +PP/29 Fix three issues highlighted by clang analyser static analysis. + Only crash-plausible issue would require the Cambridge-specific + iplookup router and a misconfiguration. + Report from Marcin Mirosław. + +PP/30 Another attempt to deal with PCRE_PRERELEASE, this one less buggy. + +PP/31 %D in printf continues to cause issues (-Wformat=security), so for + now guard some of the printf checks behind WANT_DEEPER_PRINTF_CHECKS. + As part of this, removing so much warning spew let me fix some minor + real issues in debug logging. + +PP/32 GnuTLS was always using default tls_require_ciphers, due to a missing + assignment on my part. Fixed. + +PP/33 Added tls_dh_max_bits option, defaulting to current hard-coded limit + of NSS, for GnuTLS/NSS interop. Problem root cause diagnosis by + Janne Snabb (who went above and beyond: thank you). + +PP/34 Validate tls_require_ciphers on startup, since debugging an invalid + string otherwise requires a connection and a bunch more work and it's + relatively easy to get wrong. Should also expose TLS library linkage + problems. + +PP/35 Pull in on Linux, for some portability edge-cases of + 64-bit ${eval} (JH/03). + +PP/36 Define _GNU_SOURCE in exim.h; it's needed for some releases of + GNU libc to support some of the 64-bit stuff, should not lead to + conflicts. Defined before os.h is pulled in, so if a given platform + needs to override this, it can. + +PP/37 Unbreak Cyrus SASL auth: SSF retrieval was incorrect, Exim thought + protection layer was required, which is not implemented. + Bugzilla 1254, patch from Wolfgang Breyha. + +PP/38 Overhaul DH prime handling, supply RFC-specified DH primes as built + into Exim, default to IKE id 23 from RFC 5114 (2048 bit). Make + tls_dhparam take prime identifiers. Also unbreak combination of + OpenSSL+DH_params+TLSSNI. + ++PP/39 Disable SSLv2 by default in OpenSSL support. + Exim version 4.77 ----------------- diff --cc doc/doc-txt/NewStuff index 0c3fccb74,6eae4ce7b..4b9142238 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@@ -57,55 -54,12 +57,59 @@@ Version 4.8 A new log_selector, +tls_sni, has been added, to log received SNI values for Exim as a server. - Currently OpenSSL only. + 8. The existing "accept_8bitmime" option now defaults to true. This means + that Exim is deliberately not strictly RFC compliant. We're following + Dan Bernstein's advice in http://cr.yp.to/smtp/8bitmime.html by default. + Those who disagree, or know that they are talking to mail servers that, + even today, are not 8-bit clean, need to turn off this option. + + 9. Exim can now be started with -bw (with an optional timeout, given as + -bw). With this, stdin at startup is a socket that is + already listening for connections. This has a more modern name of + "socket activation", but forcing the activated socket to fd 0. We're + interested in adding more support for modern variants. + +10. ${eval } now uses 64-bit values on supporting platforms. A new "G" suffix + for numbers indicates multiplication by 1024^3. + +11. The GnuTLS support has been revamped; the three options gnutls_require_kx, + gnutls_require_mac & gnutls_require_protocols are no longer supported. + tls_require_ciphers is now parsed by gnutls_priority_init(3) as a priority + string, documentation for which is at: + http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html + + SNI support has been added to Exim's GnuTLS integration too. + + For sufficiently recent GnuTLS libraries, ${randint:..} will now use + gnutls_rnd(), asking for GNUTLS_RND_NONCE level randomness. + +12. With OpenSSL, if built with EXPERIMENTAL_OCSP, a new option tls_ocsp_file + is now available. If the contents of the file are valid, then Exim will + send that back in response to a TLS status request; this is OCSP Stapling. + Exim will not maintain the contents of the file in any way: administrators + are responsible for ensuring that it is up-to-date. + + See "experimental-spec.txt" for more details. + +13. ${lookup dnsdb{ }} supports now SPF record types. They are handled + identically to TXT record lookups. + +14. New expansion variable $tod_epoch_l for higher-precision time. + +15. New global option tls_dh_max_bits, defaulting to current value of NSS + hard-coded limit of DH ephemeral bits, to fix interop problems caused by + GnuTLS 2.12 library recommending a bit count higher than NSS supports. + +16. tls_dhparam now used by both OpenSSL and GnuTLS, can be path or identifier. + Option can now be a path or an identifier for a standard prime. + If unset, we use the DH prime from section 2.2 of RFC 5114, "ike23". + Set to "historic" to get the old GnuTLS behaviour of auto-generated DH + primes. - 8. SSLv2 now disabled by default in OpenSSL. (Never supported by GnuTLS). ++17. SSLv2 now disabled by default in OpenSSL. (Never supported by GnuTLS). + Use "openssl_options -no_sslv2" to re-enable support, if your OpenSSL + install was not built with OPENSSL_NO_SSL2 ("no-ssl2"). + Version 4.77 ------------ diff --cc doc/doc-txt/OptionLists.txt index a79182975,d6fedcb5c..45b7997d1 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@@ -373,7 -373,7 +373,7 @@@ once st once_file_size integer 0 autoreply 3.20 once_repeat time 0s autoreply 2.95 one_time boolean false redirect 4.00 - openssl_options string unset main 4.73 default to unset in 4.80 -openssl_options string +no_sslv2 main 4.73 default changed in 4.78 ++openssl_options string +no_sslv2 main 4.73 default changed in 4.80 optional boolean false iplookup 4.00 oracle_servers string unset main 4.00 owners string list unset redirect 4.00 diff --cc src/src/tls-openssl.c index 43b79634e,ea32bdb40..22c0730c3 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@@ -1870,8 -1526,11 +1876,11 @@@ uschar keep_c BOOL adding, item_parsed; result = 0L; -/* Prior to 4.78 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed +/* Prior to 4.80 we or'd in SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; removed * from default because it increases BEAST susceptibility. */ + #ifdef SSL_OP_NO_SSLv2 + result |= SSL_OP_NO_SSLv2; + #endif if (option_spec == NULL) {