[exim-dev] [Bug 674] exim can't verify sha256WithRSAEncrypti…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-dev
Old-Topics: [exim-dev] [Bug 674] New: exim can't verify sha256WithRSAEncryption signature in X. 509 certificates when linked against OpenSSL
Subject: [exim-dev] [Bug 674] exim can't verify sha256WithRSAEncryption signature in X.509 certificates when linked against OpenSSL
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=674




--- Comment #9 from Phil Pennock <exim-dev@???> 2008-08-14 05:49:32 ---
Created an attachment (id=261)
--> (http://bugs.exim.org/attachment.cgi?id=261)
New global option, openssl_load_all

I think this is a reasonable compromise and sensible way forward for now,
without undermining the whole point of the exercise.

A new option, available when SUPPORT_TLS defined, "openssl_load_all". It's a
boolean, default false. It is a fatal error to set this true without also
defining "tls_require_ciphers".

The theory being that anyone who knows to load all algorithms knows enough to
make their own educated decision about a cipher policy but that loading all
algorithms has the risk of adding new dangerous ciphers that should not be
present and would be a security step backwards. This avoids Exim needing to
push a cipher which can become stale and puts Exim only in the position of
having some mild protection against accidental shooting of self in foot.

I was able to use Martin's sha256 stuff successfully with this patch.


Documentation patch to come next, when I write it.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email