From 20b9a2dc027844f7288508d0f81df815110e4e69 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 17 May 2016 21:42:35 +0100 Subject: [PATCH 1/1] TLS: retire obsolete options gnutls_require_{kx,mac,proto) --- doc/doc-txt/ChangeLog | 3 +++ src/src/globals.c | 3 --- src/src/globals.h | 3 --- src/src/readconf.c | 10 ---------- src/src/transports/smtp.c | 23 ----------------------- src/src/transports/smtp.h | 3 --- 6 files changed, 3 insertions(+), 42 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 3bf6fc908..f5e9b8dea 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -29,6 +29,9 @@ JH/05 If main configuration option tls_certificate is unset, generate a JH/06 Bug 165: hide more cases of password exposure - this time in expansions in rewrites and routers. +JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80 + and logged a warning sing 4.83; now they are a configuration file error. + Exim version 4.87 ----------------- diff --git a/src/src/globals.c b/src/src/globals.c index 0586fdd98..e7a54c4b8 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -144,9 +144,6 @@ uschar *dsn_advertise_hosts = NULL; #ifdef SUPPORT_TLS BOOL gnutls_compat_mode = FALSE; BOOL gnutls_allow_auto_pkcs11 = FALSE; -uschar *gnutls_require_mac = NULL; -uschar *gnutls_require_kx = NULL; -uschar *gnutls_require_proto = NULL; uschar *openssl_options = NULL; const pcre *regex_STARTTLS = NULL; uschar *tls_advertise_hosts = US"*"; diff --git a/src/src/globals.h b/src/src/globals.h index 72bb13919..1caf8e8a9 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -108,9 +108,6 @@ extern tls_support tls_out; #ifdef SUPPORT_TLS extern BOOL gnutls_compat_mode; /* Less security, more compatibility */ extern BOOL gnutls_allow_auto_pkcs11; /* Let GnuTLS autoload PKCS11 modules */ -extern uschar *gnutls_require_mac; /* So some can be avoided */ -extern uschar *gnutls_require_kx; /* So some can be avoided */ -extern uschar *gnutls_require_proto; /* So some can be avoided */ extern uschar *openssl_options; /* OpenSSL compatibility options */ extern const pcre *regex_STARTTLS; /* For recognizing STARTTLS settings */ extern uschar *tls_certificate; /* Certificate file */ diff --git a/src/src/readconf.c b/src/src/readconf.c index 375f01a1a..f4a9b2d23 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -271,11 +271,6 @@ static optionlist optionlist_config[] = { #ifdef SUPPORT_TLS { "gnutls_allow_auto_pkcs11", opt_bool, &gnutls_allow_auto_pkcs11 }, { "gnutls_compat_mode", opt_bool, &gnutls_compat_mode }, - /* These three gnutls_require_* options stopped working in Exim 4.80 */ - /* From 4.83 we log a warning; a future relase will remove them */ - { "gnutls_require_kx", opt_stringptr, &gnutls_require_kx }, - { "gnutls_require_mac", opt_stringptr, &gnutls_require_mac }, - { "gnutls_require_protocols", opt_stringptr, &gnutls_require_proto }, #endif { "header_line_maxsize", opt_int, &header_line_maxsize }, { "header_maxsize", opt_int, &header_maxsize }, @@ -3497,11 +3492,6 @@ if (openssl_options != NULL) "openssl_options parse error: %s", openssl_options); # endif } - -if (!nowarn && (gnutls_require_kx || gnutls_require_mac || gnutls_require_proto)) - log_write(0, LOG_MAIN, "WARNING: main options" - " gnutls_require_kx, gnutls_require_mac and gnutls_require_protocols" - " are obsolete\n"); #endif /*SUPPORT_TLS*/ if (!nowarn && !keep_environment && environ && *environ) diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index d295e8019..3a887c151 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -72,17 +72,6 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, final_timeout) }, { "gethostbyname", opt_bool, (void *)offsetof(smtp_transport_options_block, gethostbyname) }, -#ifdef SUPPORT_TLS - /* These are no longer honoured, as of Exim 4.80; for now, we silently - ignore; 4.83 will warn, and a later-still release will remove - these options, so that using them becomes an error. */ - { "gnutls_require_kx", opt_stringptr, - (void *)offsetof(smtp_transport_options_block, gnutls_require_kx) }, - { "gnutls_require_mac", opt_stringptr, - (void *)offsetof(smtp_transport_options_block, gnutls_require_mac) }, - { "gnutls_require_protocols", opt_stringptr, - (void *)offsetof(smtp_transport_options_block, gnutls_require_proto) }, -#endif { "helo_data", opt_stringptr, (void *)offsetof(smtp_transport_options_block, helo_data) }, { "hosts", opt_stringptr, @@ -257,9 +246,6 @@ smtp_transport_options_block smtp_transport_option_defaults = { NULL, /* tls_crl */ NULL, /* tls_privatekey */ NULL, /* tls_require_ciphers */ - NULL, /* gnutls_require_kx */ - NULL, /* gnutls_require_mac */ - NULL, /* gnutls_require_proto */ NULL, /* tls_sni */ US"system", /* tls_verify_certificates */ EXIM_CLIENT_DH_DEFAULT_MIN_BITS, @@ -411,15 +397,6 @@ if (ob->hosts_override && ob->hosts != NULL) tblock->overrides_hosts = TRUE; for them, but do not do any lookups at this time. */ host_build_hostlist(&(ob->fallback_hostlist), ob->fallback_hosts, FALSE); - -#ifdef SUPPORT_TLS -if ( ob->gnutls_require_kx - || ob->gnutls_require_mac - || ob->gnutls_require_proto) - log_write(0, LOG_MAIN, "WARNING: smtp transport options" - " gnutls_require_kx, gnutls_require_mac and gnutls_require_protocols" - " are obsolete\n"); -#endif } diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index 07b601a96..8583ab468 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -67,9 +67,6 @@ typedef struct { uschar *tls_crl; uschar *tls_privatekey; uschar *tls_require_ciphers; - uschar *gnutls_require_kx; - uschar *gnutls_require_mac; - uschar *gnutls_require_proto; uschar *tls_sni; uschar *tls_verify_certificates; int tls_dh_min_bits; -- 2.30.2