X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/a799883d8ad340d935db4d729a31c02cb8a1d977..700d22f3fc0cc559170e8085a1b799b61dceb738:/src/README.UPDATING diff --git a/src/README.UPDATING b/src/README.UPDATING index 6a820bc7c..dacb5d3aa 100644 --- a/src/README.UPDATING +++ b/src/README.UPDATING @@ -26,6 +26,18 @@ The rest of this document contains information about changes in 4.xx releases that might affect a running system. +Exim version 4.82 +----------------- + + * New option gnutls_enable_pkcs11 defaults false; if you have GnuTLS 2.12.0 + or later and do want PKCS11 modules to be autoloaded, then set this option. + + * A per-transport wait- database is no longer updated if the transport + sets "connection_max_messages" to 1, as it can not be used and causes + unnecessary serialisation and load. External tools tracking the state of + Exim by the hints databases may need modification to take this into account. + + Exim version 4.80 ----------------- @@ -43,6 +55,12 @@ Exim version 4.80 the message. No tool has been provided as we believe this is a rare occurence. + * For OpenSSL, SSLv2 is now disabled by default. (GnuTLS does not support + SSLv2). RFC 6176 prohibits SSLv2 and some informal surveys suggest no + actual usage. You can re-enable with the "openssl_options" Exim option, + in the main configuration section. Note that supporting SSLv2 exposes + you to ciphersuite downgrade attacks. + * With OpenSSL 1.0.1+, Exim now supports TLS 1.1 and TLS 1.2. If built against 1.0.1a then you will get a warning message and the "openssl_options" value will not parse "no_tlsv1_1": the value changes @@ -52,8 +70,9 @@ Exim version 4.80 "openssl_options" gains "no_tlsv1_1", "no_tlsv1_2" and "no_compression". COMPATIBILITY WARNING: The default value of "openssl_options" is no longer - "+dont_insert_empty_fragments". We default to unset. That old default was - grandfathered in from before openssl_options became a configuration option. + "+dont_insert_empty_fragments". We default to "+no_sslv2". + That old default was grandfathered in from before openssl_options became a + configuration option. Empty fragments are inserted by default through TLS1.0, to partially defend against certain attacks; TLS1.1+ change the protocol so that this is not needed. The DIEF SSL option was required for some old releases of mail