From: Heiko Schlittermann (HS12-RIPE) Date: Thu, 26 Sep 2019 23:35:19 +0000 (+0200) Subject: Add tls_pre_flight_checks main config option X-Git-Url: https://git.exim.org/users/heiko/exim.git/commitdiff_plain/59e6a174628f1c4e15c8a65f3a7ad762db43e8c6 Add tls_pre_flight_checks main config option This option controls, if during readonf time we do start a TLS check in a subprocess. The option defaults to TRUE, for backward compatibility. No tests introduced to the testsuite, as exactly the message about the created child process gets filtered out by the munger of runtest --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 4d4bab7c2..3eeb083ec 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -14187,6 +14187,7 @@ listed in more than one group. .row &%tls_eccurve%& "EC curve selection for server" .row &%tls_ocsp_file%& "location of server certificate status proof" .row &%tls_on_connect_ports%& "specify SSMTP (SMTPS) ports" +.row &%tls_pre_flight_checks%& "control TLS checks during process startup" .row &%tls_privatekey%& "location of server private key" .row &%tls_remember_esmtp%& "don't reset after starting TLS" .row &%tls_require_ciphers%& "specify acceptable ciphers" @@ -17664,6 +17665,16 @@ set up without waiting for the client to issue a STARTTLS command. For further details, see section &<>&. +.new +.option tls_pre_flight_checks main boolean true +.cindex TLS "pre flight checks" +.cindex TLS "startup" +This option controls, if, during process startup, speculative tests are +done in a suprocess. Disabling this tests may delay TLS errors and may +make them harder to debug. This is an advanced option. This option is +experimental and may be removed or renamed without further notice. +.wen + .option tls_privatekey main string list&!! unset .cindex "TLS" "server private key; location of" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 3bc992d4d..574b10cf0 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -4,6 +4,12 @@ This document describes *changes* to previous versions, that might affect Exim's operation, with an unchanged configuration file. For new options, and new features, see the NewStuff file next to this ChangeLog. +Exim next version +----------------- + +HS/01 Add tls_pre_flight_checks (experimental) + + Exim version 4.92.2 ------------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index c3c69ebc5..f4a5c07b1 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -6,6 +6,12 @@ Before a formal release, there may be quite a lot of detail so that people can test from the snapshots or the Git before the documentation is updated. Once the documentation is updated, this file is reduced to a short list. +Version 4.92++ +-------------- + + x. New main config option tls_pre_flight_checks + + Version 4.92 -------------- diff --git a/src/src/globals.c b/src/src/globals.c index b3362a34c..0fd00237f 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -136,6 +136,8 @@ tls_support tls_out = { .ocsp = OCSP_NOT_REQ }; +BOOL tls_pre_flight_checks = TRUE; /* do the TLS checks at readconf time */ + uschar *dsn_envid = NULL; int dsn_ret = 0; const pcre *regex_DSN = NULL; diff --git a/src/src/globals.h b/src/src/globals.h index f71f104e2..3f1208736 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -104,6 +104,7 @@ typedef struct { } tls_support; extern tls_support tls_in; extern tls_support tls_out; +extern BOOL tls_pre_flight_checks; /* do the TLS checks at readconf time */ #ifdef SUPPORT_TLS extern BOOL gnutls_compat_mode; /* Less security, more compatibility */ diff --git a/src/src/readconf.c b/src/src/readconf.c index 5742d10ae..dcda931e6 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -367,6 +367,7 @@ static optionlist optionlist_config[] = { { "tls_ocsp_file", opt_stringptr, &tls_ocsp_file }, # endif { "tls_on_connect_ports", opt_stringptr, &tls_in.on_connect_ports }, + { "tls_pre_flight_checks", opt_bool, &tls_pre_flight_checks }, { "tls_privatekey", opt_stringptr, &tls_privatekey }, { "tls_remember_esmtp", opt_bool, &tls_remember_esmtp }, { "tls_require_ciphers", opt_stringptr, &tls_require_ciphers }, @@ -3627,7 +3628,7 @@ if ((tls_verify_hosts || tls_try_verify_hosts) && !tls_verify_certificates) /* This also checks that the library linkage is working and we can call routines in it, so call even if tls_require_ciphers is unset */ -if (!tls_dropprivs_validate_require_cipher(nowarn)) +if (tls_pre_flight_checks && !tls_dropprivs_validate_require_cipher(nowarn)) exit(1); /* Magic number: at time of writing, 1024 has been the long-standing value