[exim-dev] [Bug 1095] New: Uses (soon to be) deprecated GnuT…

Top Page

Reply to this message
Author: Andreas Metzler
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 1095] Uses (soon to be) deprecated GnuTLS functions, [exim-dev] [Bug 1095] Uses (soon to be) deprecated GnuTLS functions, [exim-dev] [Bug 1095] Uses (soon to be) deprecated GnuTLS functions, [exim-dev] [Bug 1095] Uses (soon to be) deprecated GnuTLS functions, [exim-dev] [Bug 1095] Uses (soon to be) deprecated GnuTLS functions, [exim-dev] [Bug 1095] Uses (soon to be) deprecated GnuTLS functions, [exim-dev] [Bug 1095] Uses (soon to be) deprecated GnuTLS functions, [exim-dev] [Bug 1095] Uses (soon to be) deprecated GnuTLS functions
Subject: [exim-dev] [Bug 1095] New: Uses (soon to be) deprecated GnuTLS functions
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1095
           Summary: Uses (soon to be) deprecated GnuTLS functions
           Product: Exim
           Version: 4.75 RC1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
        AssignedTo: nigel@???
        ReportedBy: eximusers@???
                CC: exim-dev@???



Building exim against GnuTLS 2.11.7 ("Consider that a release candidate for
2.12.0") yields the following warnings:
------------------------------
tls-gnu.c: In function 'verify_certificate':
tls-gnu.c:237:3: warning: 'gnutls_certificate_verify_peers' is deprecated
(declared at /usr/include/gnutls/compat.h:325)
In file included from tls.c:84:0:
tls-gnu.c: In function 'tls_session_init':
tls-gnu.c:775:1: warning: 'gnutls_cipher_set_priority' is deprecated (declared
at /usr/include/gnutls/compat.h:330)
tls-gnu.c:776:1: warning: 'gnutls_compression_set_priority' is deprecated
(declared at /usr/include/gnutls/compat.h:334)
tls-gnu.c:777:1: warning: 'gnutls_kx_set_priority' is deprecated (declared at
/usr/include/gnutls/compat.h:337)
tls-gnu.c:778:1: warning: 'gnutls_protocol_set_priority' is deprecated
(declared at /usr/include/gnutls/compat.h:339)
tls-gnu.c:779:1: warning: 'gnutls_mac_set_priority' is deprecated (declared at
/usr/include/gnutls/compat.h:332)
------------------------------

gnutls_certificate_verify_peers is superseded by
gnutls_certificate_verify_peers2 (available since 1.2, 2005-01-27). The fix
should not be too painful.

Replacing the *_set_priority stuff is going to be harder. They are exposed to
the user via gnutls_require_kx, gnutls_require_mac, gnutls_require_protocols
and tls_require_ciphers.

The successor functions to these are the gnutls_priority_* ones. (Added in
2.2.0 2007-12-14) They accept a combined priority string (e.g. "NORMAL" or
"SECURE:-VERS-SSL3.0:+COMP-DEFLATE").

I guess on the exim side something like this needs to happen:

* Continue to accept the gnutls_require_* settings but ignore them.
* Either update or drop the GnuLS mapping in tls_require_ciphers.
* Add a gnutls_priority setting.

This is not very, very urgent but also not a item of a far set future. I
suspect the first stable GnuTLS release that drops these interfaces wlill take
at least 8 months (November 2011) to appear.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email