[Exim] Eudora and tls_try_verify_hosts

Pàgina inicial
Delete this message
Reply to this message
Autor: Tony Finch
Data:  
A: exim-users
Assumpte: [Exim] Eudora and tls_try_verify_hosts
Has anyone tried something like the following configuration?

tls_try_verify_hosts    = *
tls_verify_certificates = CERTS/client


The idea was to be able to support client TLS verification for select
machine in the future by just dropping files in the CERTS/client
directory. However this seems to cause Eudora to throw its toys out of the
pram, as described in the interoperability section of
http://www.sendmail.org/~ca/email/starttls.html

There's a comment in the Exim source about OpenSSL interoperability bug
workarounds:

/* Enable client-bug workaround.
Versions of OpenSSL as of 0.9.6d include a "CBC countermeasure" feature,
which causes problems with some clients (such as the Certicom SSL Plus
library used by Eudora). This option, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS,
disables the coutermeasure allowing Eudora to connect.
Some poppers and MTAs use SSL_OP_ALL, which enables all such bug
workarounds. */

However the list of workarounds doesn't seem to include one for this
Eudora problem -- see
http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html

There is a big list of M$ workarounds. If I get more SSL problem reports I
may try using SSL_OP_ALL to see if it makes the users go away :-)

--
Tony Finch <dot@???> http://dotat.at/