[exim] Exim unaffected by OpenSSL CVE-2011-0014

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-users
Subject: [exim] Exim unaffected by OpenSSL CVE-2011-0014
To forestall questions:

OpenSSL vulnerability CVE-2011-0014, "OCSP stapling vulnerability in
OpenSSL", does *not* affect Exim.

This is the issue prompting the release of OpenSSL 0.9.8r and 1.0.0d.

Key phrase from their advisory:

Applications are only affected if they act as a server and call
SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX.

Exim does not call that function.

The function is used for the Certificate Status Request from RFC 3546
section 3.6; it's used when a client which wants to verify the
revocation status of a certificate, but which doesn't want to ask an
OCSP provider directly, asks the server to include "current" proof of
non-revocation in the handshake. The function call acts as the hook for
the application to provide that data into the OpenSSL library.

Will Exim ever use this?

Since MTAs don't typically do certificate verification of any kind, no
MTA<->MTA traffic is ever likely to do this.

The Submission protocol is another matter entirely. For that, clients
talk to the server and mail clients may well want the server to do this
for them. I can see Exim one day implementing this feature, for the
Submission port, turned on explicitly by the server admin (since it
creates more work for the server).

That will come after TLS SNI support and is not a high priority.

If there's anyone who *wants* that support, you'll need to point me to
mail-clients which try to use this functionality, so that I can test
interop. If you're a mail client developer and trying to break a
chicken/egg deadlock, talk to me and we can sort out a solution.

-Phil