nm4 2009/10/16 10:51:12 BST
Modified files:
exim-doc/doc-docbook spec.xfpt
exim-doc/doc-txt ChangeLog
exim-src/src globals.c globals.h readconf.c tls-gnu.c
Log:
gnutls_compat_mode to allow compatibility with broken clients. fixes: #665
Revision Changes Path
1.59 +11 -0 exim/exim-doc/doc-docbook/spec.xfpt
1.570 +3 -0 exim/exim-doc/doc-txt/ChangeLog
1.85 +1 -0 exim/exim-src/src/globals.c
1.66 +1 -0 exim/exim-src/src/globals.h
1.38 +1 -0 exim/exim-src/src/readconf.c
1.23 +12 -0 exim/exim-src/src/tls-gnu.c
Index: spec.xfpt
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-docbook/spec.xfpt,v
retrieving revision 1.58
retrieving revision 1.59
diff -u -r1.58 -r1.59
--- spec.xfpt 16 Oct 2009 08:52:05 -0000 1.58
+++ spec.xfpt 16 Oct 2009 09:51:12 -0000 1.59
@@ -1,4 +1,4 @@
-. $Cambridge: exim/exim-doc/doc-docbook/spec.xfpt,v 1.58 2009/10/16 08:52:05 tom Exp $
+. $Cambridge: exim/exim-doc/doc-docbook/spec.xfpt,v 1.59 2009/10/16 09:51:12 nm4 Exp $
.
. /////////////////////////////////////////////////////////////////////////////
. This is the primary source of the Exim Manual. It is an xfpt document that is
@@ -12368,6 +12368,7 @@
.row &%gnutls_require_kx%& "control GnuTLS key exchanges"
.row &%gnutls_require_mac%& "control GnuTLS MAC algorithms"
.row &%gnutls_require_protocols%& "control GnuTLS protocols"
+.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode"
.row &%tls_advertise_hosts%& "advertise TLS to these hosts"
.row &%tls_certificate%& "location of server certificate"
.row &%tls_crl%& "certificate revocation list"
@@ -13367,6 +13368,11 @@
This option controls the protocols when GnuTLS is used in an Exim
server. For details, see section &<<SECTreqciphgnu>>&.
+.option gnutls_compat_mode main boolean unset
+This option controls whether GnuTLS is used in compatibility mode in an Exim
+server. This reduces security slightly, but improves interworking with older
+implementations of TLS.
+
.option headers_charset main string "see below"
This option sets a default character set for translating from encoded MIME
@@ -21467,6 +21473,11 @@
This option controls the protocols when GnuTLS is used in an Exim
client. For details, see section &<<SECTreqciphgnu>>&.
+.option gnutls_compat_mode main boolean unset
+This option controls whether GnuTLS is used in compatibility mode in an Exim
+server. This reduces security slightly, but improves interworking with older
+implementations of TLS.
+
.option helo_data smtp string&!! "see below"
.cindex "HELO" "argument, setting"
.cindex "EHLO" "argument, setting"
Index: ChangeLog
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
retrieving revision 1.569
retrieving revision 1.570
diff -u -r1.569 -r1.570
--- ChangeLog 14 Oct 2009 14:48:41 -0000 1.569
+++ ChangeLog 16 Oct 2009 09:51:12 -0000 1.570
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.569 2009/10/14 14:48:41 nm4 Exp $
+$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.570 2009/10/16 09:51:12 nm4 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -111,6 +111,9 @@
NM/20 Bugzilla 167: bool: condition support
Patch provided by Phil Pennock
+NM/21 Bugzilla 665: gnutls_compat_mode to allow compatibility with broken clients
+ Patch provided by Phil Pennock
+
Exim version 4.69
-----------------
Index: globals.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/globals.c,v
retrieving revision 1.84
retrieving revision 1.85
diff -u -r1.84 -r1.85
--- globals.c 15 Oct 2009 08:27:37 -0000 1.84
+++ globals.c 16 Oct 2009 09:51:12 -0000 1.85
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/globals.c,v 1.84 2009/10/15 08:27:37 tom Exp $ */
+/* $Cambridge: exim/exim-src/src/globals.c,v 1.85 2009/10/16 09:51:12 nm4 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -111,6 +111,7 @@
uschar *tls_peerdn = NULL;
#ifdef SUPPORT_TLS
+BOOL gnutls_compat_mode = FALSE;
uschar *gnutls_require_mac = NULL;
uschar *gnutls_require_kx = NULL;
uschar *gnutls_require_proto = NULL;
Index: globals.h
===================================================================
RCS file: /home/cvs/exim/exim-src/src/globals.h,v
retrieving revision 1.65
retrieving revision 1.66
diff -u -r1.65 -r1.66
--- globals.h 15 Oct 2009 08:27:37 -0000 1.65
+++ globals.h 16 Oct 2009 09:51:12 -0000 1.66
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/globals.h,v 1.65 2009/10/15 08:27:37 tom Exp $ */
+/* $Cambridge: exim/exim-src/src/globals.h,v 1.66 2009/10/16 09:51:12 nm4 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -71,6 +71,7 @@
extern uschar *tls_peerdn; /* DN from peer */
#ifdef SUPPORT_TLS
+extern BOOL gnutls_compat_mode; /* Less security, more compatibility */
extern uschar *gnutls_require_mac; /* So some can be avoided */
extern uschar *gnutls_require_kx; /* So some can be avoided */
extern uschar *gnutls_require_proto; /* So some can be avoided */
Index: readconf.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/readconf.c,v
retrieving revision 1.37
retrieving revision 1.38
diff -u -r1.37 -r1.38
--- readconf.c 16 Oct 2009 08:51:34 -0000 1.37
+++ readconf.c 16 Oct 2009 09:51:12 -0000 1.38
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/readconf.c,v 1.37 2009/10/16 08:51:34 tom Exp $ */
+/* $Cambridge: exim/exim-src/src/readconf.c,v 1.38 2009/10/16 09:51:12 nm4 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -235,6 +235,7 @@
{ "gecos_name", opt_stringptr, &gecos_name },
{ "gecos_pattern", opt_stringptr, &gecos_pattern },
#ifdef SUPPORT_TLS
+ { "gnutls_compat_mode", opt_bool, &gnutls_compat_mode },
{ "gnutls_require_kx", opt_stringptr, &gnutls_require_kx },
{ "gnutls_require_mac", opt_stringptr, &gnutls_require_mac },
{ "gnutls_require_protocols", opt_stringptr, &gnutls_require_proto },
Index: tls-gnu.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/tls-gnu.c,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- tls-gnu.c 14 Oct 2009 13:52:48 -0000 1.22
+++ tls-gnu.c 16 Oct 2009 09:51:12 -0000 1.23
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/tls-gnu.c,v 1.22 2009/10/14 13:52:48 nm4 Exp $ */
+/* $Cambridge: exim/exim-src/src/tls-gnu.c,v 1.23 2009/10/16 09:51:12 nm4 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -792,6 +792,18 @@
gnutls_db_set_cache_expiration(session, ssl_session_timeout);
+/* Reduce security in favour of increased compatibility, if the admin
+decides to make that trade-off. */
+if (gnutls_compat_mode)
+ {
+#if LIBGNUTLS_VERSION_NUMBER >= 0x020104
+ DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n");
+ gnutls_session_enable_compatibility_mode(session);
+#else
+ DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n");
+#endif
+ }
+
DEBUG(D_tls) debug_printf("initialized GnuTLS session\n");
return session;
}
