X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/9cbad13b652da19396511434b18e88533c8f9901..83e2f8a2515d1cd787ac68b052f6e4539dd48752:/src/README.UPDATING

diff --git a/src/README.UPDATING b/src/README.UPDATING
index 0d729a384..a91794d6c 100644
--- a/src/README.UPDATING
+++ b/src/README.UPDATING
@@ -26,9 +26,12 @@ The rest of this document contains information about changes in 4.xx releases
 that might affect a running system.
 
 
-Exim version 4.78
+Exim version 4.80
 -----------------
 
+ * BEWARE backwards-incompatible changes in SSL libraries, thus the version
+   bump.  See points below for details.
+
  * The value of $tls_peerdn is now print-escaped when written to the spool file
    in a -tls_peerdn line, and unescaped when read back in.  We received reports
    of values with embedded newlines, which caused spool file corruption.
@@ -77,6 +80,35 @@ Exim version 4.78
    new option, you can safely force it off before upgrading, to decouple
    configuration changes from the binary upgrade while remaining RFC compliant.
 
+ * The GnuTLS support has been mostly rewritten, to use 2.12.x APIs.  As part
+   of this, these three options are no longer supported:
+
+     gnutls_require_kx
+     gnutls_require_mac
+     gnutls_require_protocols
+
+   Their functionality is entirely subsumed into tls_require_ciphers, which is
+   no longer parsed apart by Exim but is instead given to
+   gnutls_priority_init(3), which is no longer an Exim list.  See:
+
+     http://www.gnu.org/software/gnutls/manual/html_node/Priority-Strings.html
+
+   for fuller documentation of the strings parsed.  The three gnutls_require_*
+   options are still parsed by Exim and, for this release, silently ignored.
+   A future release will add warnings, before a later still release removes
+   parsing entirely and the presence of the options will be a configuration
+   error.
+
+   Note that by default, GnuTLS will not accept RSA-MD5 signatures in chains.
+   A tls_require_ciphers value of NORMAL:%VERIFY_ALLOW_SIGN_RSA_MD5 may
+   re-enable support, but this is not supported by the Exim maintainers.
+   Our test suite no longer includes MD5-based certificates.
+
+   This rewrite means that Exim will continue to build against GnuTLS in the
+   future, brings Exim closer to other GnuTLS applications and lets us add
+   support for SNI and other features more readily.  We regret that it wasn't
+   feasible to retain the three dropped options.
+
 
 Exim version 4.77
 -----------------