[Exim] New snapshot - TLS updates

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Philip Hazel
Date:  
À: exim-users
Sujet: [Exim] New snapshot - TLS updates
I have updated the snapshot in

ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot.tar.gz.sig

so that people who want to can play with the TLS changes I've just made:

33. GnuTLS: When an attempt to start a TLS session fails for any reason other
    than a timeout (e.g. a certificate is required, and is not provided), an
    Exim server now closes the connection immediately. Previously it waited for
    the client to close - but if the client is SSL, it seems that they each
    wait for each other, leading to a delay before one of them times out.


34: GnuTLS: Updated the code to use the new GnuTLS 1.0.0 API. I have not
    maintained 0.8.x compatibility because I don't think many are using it, and
    it is clearly obsolete.


35. Added TLS support for CRLs: a tls_crl global option and one for the smtp
    transport.


36. OpenSSL: $tls_certificate_verified was being set to 1 even if the
    client certificate was expired. A simple patch fixes this, though I don't
    understand the full logic of why the verify callback is called multiple
    times.


37. OpenSSL: a patch from Robert Roselius: "Enable client-bug workaround.
    Versions of OpenSSL as of 0.9.6d include a 'CBC countermeasure' feature,
    which causes problems with some clients (such as the Certicom SSL Plus
    library used by Eudora). This option, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS,
    disables the coutermeasure allowing Eudora to connect."


As you can see from the numbers, there are other changes too...

My plan is to get to the end of my current work list of bugs and small
patches and then release 4.31. This is likely to take 2 or 3 weeks.

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.