that might affect a running system.
-Exim version 4.78
+Exim version 4.80
-----------------
+ * BEWARE backwards-incompatible changes in SSL libraries, thus the version
+ bump. See points below for details.
+
* The value of $tls_peerdn is now print-escaped when written to the spool file
in a -tls_peerdn line, and unescaped when read back in. We received reports
of values with embedded newlines, which caused spool file corruption.
new option, you can safely force it off before upgrading, to decouple
configuration changes from the binary upgrade while remaining RFC compliant.
- * The GnuTLS support has been mostly rewritten, to use 2.12.x APIs. As part
- of this, these three options are no longer supported:
+ * The GnuTLS support has been mostly rewritten, to use APIs which don't cause
+ deprecation warnings in GnuTLS 2.12.x. As part of this, these three options
+ are no longer supported:
gnutls_require_kx
gnutls_require_mac
gnutls_require_protocols
- Their functionality is entirely subsumed into tls_require_ciphers, which is
- no longer parsed apart by Exim but is instead given to
- gnutls_priority_init(3), which is no longer an Exim list. See:
+ Their functionality is entirely subsumed into tls_require_ciphers. In turn,
+ tls_require_ciphers is no longer an Exim list and is not parsed by Exim, but
+ is instead given to gnutls_priority_init(3), which expects a priority string;
+ this behaviour is much closer to the OpenSSL behaviour. See:
http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html
parsing entirely and the presence of the options will be a configuration
error.
+ Note that by default, GnuTLS will not accept RSA-MD5 signatures in chains.
+ A tls_require_ciphers value of NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5 may
+ re-enable support, but this is not supported by the Exim maintainers.
+ Our test suite no longer includes MD5-based certificates.
+
This rewrite means that Exim will continue to build against GnuTLS in the
future, brings Exim closer to other GnuTLS applications and lets us add
support for SNI and other features more readily. We regret that it wasn't
problem. Prior to this release, supported values were "TLS1" and "SSL3",
so you should be able to update configuration prior to update.
+ [nb: gnutls_require_protocols removed in Exim 4.80, instead use
+ tls_require_ciphers to provide a priority string; see notes above]
+
* The match_<type>{string1}{string2} expansion conditions no longer subject
string2 to string expansion, unless Exim was built with the new
"EXPAND_LISTMATCH_RHS" option. Too many people have inadvertently created
git://git.exim.org / users / jgh / exim.git / blobdiff