-
-.section "Requiring specific ciphers in GnuTLS" "SECTreqciphgnu"
-.cindex "TLS" "requiring specific ciphers (GnuTLS)"
-.cindex "&%tls_require_ciphers%&" "GnuTLS"
-The GnuTLS library does not have a combined function like OpenSSL. Instead,
-it allows the caller to specify separate lists of key-exchange methods,
-main cipher algorithms, and MAC algorithms. Unfortunately, these lists are
-numerical, and the library does not have a function for turning names into
-numbers. Consequently, the list of recognized names has to be built into
-the application.
-
-At present, Exim permits only the list of main cipher algorithms to be
-changed. The &%tls_require_ciphers%& option is in the same format as for
-OpenSSL. Exim searches each item for the name of available algorithm. For
-example, if the list contains RSA_AES_SHA then AES is recognized.
-
-The cipher algorithms list starts out with a default set of algorithms. If
-the first item in &%tls_require_ciphers%& does &'not'& start with an
-exclamation mark, all the default items are deleted. Thus, only those specified
-can be used. If the first item in &%tls_require_ciphers%& &'does'& start with
-an exclamation mark, the defaults are left on the list.
+.new
+.section "Requiring specific ciphers or other parameters in GnuTLS" &&&
+ "SECTreqciphgnu"
+.cindex "GnuTLS" "specifying parameters for"
+.cindex "TLS" "specifying ciphers (GnuTLS)"
+.cindex "TLS" "specifying key exchange methods (GnuTLS)"
+.cindex "TLS" "specifying MAC algorithms (GnuTLS)"
+.cindex "TLS" "specifying protocols (GnuTLS)"
+.oindex "&%tls_require_ciphers%&" "GnuTLS"
+The GnuTLS library allows the caller to specify separate lists of permitted key
+exchange methods, main cipher algorithms, MAC algorithms, and protocols.
+Unfortunately, these lists are numerical, and the library does not have a
+function for turning names into numbers. Consequently, lists of recognized
+names have to be built into the application. The permitted key exchange
+methods, ciphers, and MAC algorithms may be used in any combination to form a
+cipher suite. This is unlike OpenSSL, where complete cipher suite names are
+passed to its control function.
+
+For compatibility with OpenSSL, the &%tls_require_ciphers%& option can be set
+to complete cipher suite names such as RSA_ARCFOUR_SHA, but for GnuTLS this
+option controls only the cipher algorithms. Exim searches each item in the
+list for the name of an available algorithm. For example, if the list
+contains RSA_AES_SHA, then AES is recognized, and the behaviour is exactly
+the same as if just AES were given.
+
+.oindex "&%gnutls_require_kx%&"
+.oindex "&%gnutls_require_mac%&"
+.oindex "&%gnutls_require_protocols%&"
+There are additional options called &%gnutls_require_kx%&,
+&%gnutls_require_mac%&, and &%gnutls_require_protocols%& that can be used to
+restrict the key exchange methods, MAC algorithms, and protocols, respectively.
+These options are ignored if OpenSSL is in use.
+
+All four options are available as global options, controlling how Exim
+behaves as a server, and also as options of the &(smtp)& transport, controlling
+how Exim behaves as a client. All the values are string expanded. After
+expansion, the values must be colon-separated lists, though the separator
+can be changed in the usual way.
+
+Each of the four lists starts out with a default set of algorithms. If the
+first item in a list does &'not'& start with an exclamation mark, all the
+default items are deleted. In this case, only those that are explicitly
+specified can be used. If the first item in a list &'does'& start with an
+exclamation mark, the defaults are left on the list.