I have updated the snapshot in
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot.tar.gz.sig
so that people who want to can play with the TLS changes I've just made:
33. GnuTLS: When an attempt to start a TLS session fails for any reason other
than a timeout (e.g. a certificate is required, and is not provided), an
Exim server now closes the connection immediately. Previously it waited for
the client to close - but if the client is SSL, it seems that they each
wait for each other, leading to a delay before one of them times out.
34: GnuTLS: Updated the code to use the new GnuTLS 1.0.0 API. I have not
maintained 0.8.x compatibility because I don't think many are using it, and
it is clearly obsolete.
35. Added TLS support for CRLs: a tls_crl global option and one for the smtp
transport.
36. OpenSSL: $tls_certificate_verified was being set to 1 even if the
client certificate was expired. A simple patch fixes this, though I don't
understand the full logic of why the verify callback is called multiple
times.
37. OpenSSL: a patch from Robert Roselius: "Enable client-bug workaround.
Versions of OpenSSL as of 0.9.6d include a 'CBC countermeasure' feature,
which causes problems with some clients (such as the Certicom SSL Plus
library used by Eudora). This option, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS,
disables the coutermeasure allowing Eudora to connect."
As you can see from the numbers, there are other changes too...
My plan is to get to the end of my current work list of bugs and small
patches and then release 4.31. This is likely to take 2 or 3 weeks.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
