[exim] Future: OpenSSL SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-users
Subject: [exim] Future: OpenSSL SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
Folks,

Historically, when setting up an SSL session using OpenSSL, Exim has
supplied the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option, because an
administrator who needed it supplied the patch.

I've just committed code which adds a new "openssl_options" option to
the main config. The default value of this preserves the old behaviour,
because changing it would mean that theoretically some setups which used
to work would then stop working.

I would like to change the default, to not set any options by default.
This is not just a desire for cleanliness -- the option is disabling a
security countermeasure.

Is there anyone here who knows that they support ancient buggy devices
which need this option set?

The most administrator friendly approach going forward is probably going
to be to let Exim 4.73 go out with this new option with the current
default and then have Exim 4.74 change the default to be no value, so
that people have a time to set the desired behaviour explicitly in their
configs so that they don't have to keep config and software version in
lockstep as they roll out a release.

Does anyone here have strong opinions on this?

If you want to trial this, you can build from HEAD (or wait for 4.73, at
some point in the future, no timeline yet) and set:

openssl_options = -all

Thanks,
-Phil