From: Phil Pennock Date: Mon, 21 May 2012 01:49:40 +0000 (-0400) Subject: Added tls_dh_max_bits & check tls_require_ciphers early. X-Git-Tag: exim-4_80_RC3~3 X-Git-Url: https://git.exim.org/users/heiko/exim.git/commitdiff_plain/3375e053c40dacf62a7eac02d52438a43398c053?hp=3375e053c40dacf62a7eac02d52438a43398c053 Added tls_dh_max_bits & check tls_require_ciphers early. Janne Snabb tracked down the GnuTLS 2.12 vs NSS (Thunderbird) interop problems to a hard-coded limit of 2236 bits for DH in NSS while GnuTLS was suggesting 2432 bits as normal. Added new global option tls_dh_max_bits to clamp all DH values (client or server); unexpanded integer. Default value to 2236. Apply to both GnuTLS and OpenSSL (which requires tls_dh_params for this). Tired of debugging "SMTP fails TLS" error messages in mailing-lists caused by OpenSSL library/include clashes, and of finding out I typo'd in tls_require_ciphers only at the STARTTLS handshake. During readconf, fork/drop-privs/initialise-TLS-library. In that, if tls_require_ciphers is set, then validate it. The validation child will panic if it can't initialise or if tls_require_ciphers can't be parsed, else it exits 0. If the child exits anything other than 0, the main Exim process will exit. ---