# Start by initializing some global variables
-$testversion = "4.78 (08-May-12)";
+$testversion = "4.80 (08-May-12)";
+
+# This gets embedded in the D-H params filename, and the value comes
+# from asking GnuTLS for "normal", but there appears to be no way to
+# use certtool/... to ask what that value currently is. *sigh*
+# This value is correct as of GnuTLS 2.12.18.
+#
+$gnutls_dh_bits_normal = 2432;
$cf = "bin/cf -exact";
$cr = "\r";
# So far, have seen:
# TLSv1:AES256-SHA:256
# TLSv1.2:AES256-GCM-SHA384:256
+ # TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
# We also need to handle the ciphersuite without the TLS part present, for
# client-ssl's output. We also see some older forced ciphersuites, but
# negotiating TLS 1.2 instead of 1.0.
s/( (?: (?:\b|\s) [\(=] ) | \s )TLSv1\.2:/$1TLSv1:/xg;
s/\bAES256-GCM-SHA384\b/AES256-SHA/g;
+ # GnuTLS have seen:
+ # TLS1.2:RSA_AES_256_CBC_SHA1:256 (canonical)
+ # TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128
+ #
+ # X=TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256
+ # X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256
+ # and as stand-alone cipher:
+ # DHE-RSA-AES256-SHA256
+ # DHE-RSA-AES256-SHA
+ # picking latter as canonical simply because regex easier that way.
+ s/\bDHE_RSA_AES_128_CBC_SHA1:128/RSA_AES_256_CBC_SHA1:256/g;
+ s/X=TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256/X=TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256/g;
+ s/\bDHE-RSA-AES256-SHA256\b/DHE-RSA-AES256-SHA/g;
+
# ======== Caller's login, uid, gid, home, gecos ========
if (/^gnutls/)
{
- run_system "sudo cp -p aux-fixed/gnutls-params spool/gnutls-params;" .
- "sudo chown $parm_eximuser:$parm_eximgroup spool/gnutls-params;" .
- "sudo chmod 0400 spool/gnutls-params";
+ my $gen_fn = "spool/gnutls-params-$gnutls_dh_bits_normal";
+ run_system "sudo cp -p aux-fixed/gnutls-params $gen_fn;" .
+ "sudo chown $parm_eximuser:$parm_eximgroup $gen_fn;" .
+ "sudo chmod 0400 $gen_fn";
return 1;
}
git://git.exim.org / users / heiko / exim.git / blobdiff