I've had second thoughts about the tls_advertise_hosts option, which
defaults to
tls_advertise_hosts = *
I now think that the default should be unset. The reason for this is
that, if you build Exim with TLS support and do nothing else, putting it
into service doesn't work. It advertises TLS, but can't actually operate
if you don't give it a certificate, so clients that support TLS try it,
and fail. I think it would be safer to default TLS to "off".
What do current testers think?
[The reason I didn't suppress advertisement when no certificate is
supplied is that the documentation for openssl suggests that there are
ciphers that don't need a certificate, and I didn't want to lock these
out, though no current client seems to use them, and I haven't managed
to get them to work in testing.]
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
