Hello there,
Long time user, first time poster/patcher...
Just finished struggling with Eudora TLS negotiation on some new
systems. Using Exim 4.30 (Thanks, Philip!) from the rpms-for-exim
(Thanks, Nigel!), with OpenSSL 0.9.7a on Linux (Fedora Core 1).
Eudora, with STARTTLS enabled or required for SMTP, would give
"SSL Negotiation Failed" errors on attempts to send mail. The
following patch allowed Eudora 5 to STARTTLS with Exim (after
the required chicken dance with the certificates in Eudora):
======================================================================
--- exim-4.30/src/tls-openssl.c.orig 2004-02-11 18:35:45.000000000 -0700
+++ exim-4.30/src/tls-openssl.c 2004-02-12 11:21:44.000000000 -0700
@@ -343,6 +343,20 @@
if (!(SSL_CTX_set_info_callback(ctx, (void (*)())info_callback)))
return tls_error(US"SSL_CTX_set_info_callback", host);
+#if OPENSSL_VERSION_NUMBER > 0x00906040L
+/* Enable client-bug workaround.
+ Versions of OpenSSL as of 0.9.6d include a "CBC countermeasure" feature,
+ which causes problems with some clients (such as the Certicom SSL Plus
+ library used by Eudora). This option, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS,
+ disables the coutermeasure allowing Eudora to connect.
+ Some poppers and MTAs use SSL_OP_ALL, which enables all such bug
+ workarounds. */
+/* XXX (Silently?) ignore failure here? XXX*/
+
+if (!(SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)))
+ return tls_error(US"SSL_CTX_set_option", host);
+#endif
+
/* Initialize with DH parameters if supplied */
if (!init_dh(dhparam)) return DEFER;
======================================================================
I see that Eudora 5.2.1 appears to have a workaround for this bug:
http://www.eudora.com/download/eudora/windows/5.2.1/RelNotes.txt
but my users have a variety of (mostly older) Eudora versions.
Hope someone finds a use for the info, or at least points out my glaring
mistake(s).
Rob
--
Robert Roselius
Batky-Howell, Inc. - Educating Professional Software Developers