------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=674
--- Comment #9 from Phil Pennock <exim-dev@???> 2008-08-14 05:49:32 ---
Created an attachment (id=261)
--> (
http://bugs.exim.org/attachment.cgi?id=261)
New global option, openssl_load_all
I think this is a reasonable compromise and sensible way forward for now,
without undermining the whole point of the exercise.
A new option, available when SUPPORT_TLS defined, "openssl_load_all". It's a
boolean, default false. It is a fatal error to set this true without also
defining "tls_require_ciphers".
The theory being that anyone who knows to load all algorithms knows enough to
make their own educated decision about a cipher policy but that loading all
algorithms has the risk of adding new dangerous ciphers that should not be
present and would be a security step backwards. This avoids Exim needing to
push a cipher which can become stale and puts Exim only in the position of
having some mild protection against accidental shooting of self in foot.
I was able to use Martin's sha256 stuff successfully with this patch.
Documentation patch to come next, when I write it.
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
