.row &%tls_eccurve%& "EC curve selection for server"
.row &%tls_ocsp_file%& "location of server certificate status proof"
.row &%tls_on_connect_ports%& "specify SSMTP (SMTPS) ports"
+.row &%tls_pre_flight_checks%& "control TLS checks during process startup"
.row &%tls_privatekey%& "location of server private key"
.row &%tls_remember_esmtp%& "don't reset after starting TLS"
.row &%tls_require_ciphers%& "specify acceptable ciphers"
further details, see section &<<SECTsupobssmt>>&.
+.new
+.option tls_pre_flight_checks main boolean true
+.cindex TLS "pre flight checks"
+.cindex TLS "startup"
+This option controls, if, during process startup, speculative tests are
+done in a suprocess. Disabling this tests may delay TLS errors and may
+make them harder to debug. This is an advanced option. This option is
+experimental and may be removed or renamed without further notice.
+.wen
+
.option tls_privatekey main string list&!! unset
.cindex "TLS" "server private key; location of"
affect Exim's operation, with an unchanged configuration file. For new
options, and new features, see the NewStuff file next to this ChangeLog.
+Exim next version
+-----------------
+
+HS/01 Add tls_pre_flight_checks (experimental)
+
+
Exim version 4.92.2
-------------------
test from the snapshots or the Git before the documentation is updated. Once
the documentation is updated, this file is reduced to a short list.
+Version 4.92++
+--------------
+
+ x. New main config option tls_pre_flight_checks
+
+
Version 4.92
--------------
.ocsp = OCSP_NOT_REQ
};
+BOOL tls_pre_flight_checks = TRUE; /* do the TLS checks at readconf time */
+
uschar *dsn_envid = NULL;
int dsn_ret = 0;
const pcre *regex_DSN = NULL;
} tls_support;
extern tls_support tls_in;
extern tls_support tls_out;
+extern BOOL tls_pre_flight_checks; /* do the TLS checks at readconf time */
#ifdef SUPPORT_TLS
extern BOOL gnutls_compat_mode; /* Less security, more compatibility */
{ "tls_ocsp_file", opt_stringptr, &tls_ocsp_file },
# endif
{ "tls_on_connect_ports", opt_stringptr, &tls_in.on_connect_ports },
+ { "tls_pre_flight_checks", opt_bool, &tls_pre_flight_checks },
{ "tls_privatekey", opt_stringptr, &tls_privatekey },
{ "tls_remember_esmtp", opt_bool, &tls_remember_esmtp },
{ "tls_require_ciphers", opt_stringptr, &tls_require_ciphers },
/* This also checks that the library linkage is working and we can call
routines in it, so call even if tls_require_ciphers is unset */
-if (!tls_dropprivs_validate_require_cipher(nowarn))
+if (tls_pre_flight_checks && !tls_dropprivs_validate_require_cipher(nowarn))
exit(1);
/* Magic number: at time of writing, 1024 has been the long-standing value