[exim-cvs] OpenSSL fixes and backwards compat break.
|This message is part of the following thread:|
|the complete thread tree sorted by date|
Commit: da3ad30dcfbb4770835c2b7e165bb719f76cfc16 Parent: e74376d84aa63876c9a3b240513b8f38920733b7 Author: Phil Pennock <pdp@???> AuthorDate: Thu May 3 19:11:49 2012 -0700 Committer: Phil Pennock <pdp@???> CommitDate: Thu May 3 19:11:49 2012 -0700
OpenSSL fixes and backwards compat break.
Drop SSL_clear() after SSL_new() which causes protocol negotiation failures for TLS1.0 vs TLS1.1/1.2 in OpenSSL 1.0.1b.
Remove SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (+dont_insert_empty_fragments) from default of openssl_options. --- doc/doc-docbook/spec.xfpt | 23 +++++++++++++---------- doc/doc-txt/ChangeLog | 4 ++++ doc/doc-txt/NewStuff | 9 +++++++++ doc/doc-txt/OptionLists.txt | 2 +- src/README.UPDATING | 16 ++++++++++++++++ src/src/tls-openssl.c | 20 +++++++++++++++----- 6 files changed, 58 insertions(+), 16 deletions(-)
Possible options may include: diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index b41783d..a491cf9 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -69,6 +69,10 @@ PP/15 LDAP: Check for errors of TLS initialisation, to give correct diagnostics. Report and patch from Dmitry Banschikov.
+PP/16 Removed "dont_insert_empty_fragments" fron "openssl_options". + Removed SSL_clear() after SSL_new() which led to protocol negotiation + failures. We appear to now support TLS1.1+ with Exim. +
Exim version 4.77 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index b962b61..0aee33c 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -33,6 +33,15 @@ Version 4.78 into the DBM library. Can be used with gsasl to access sasldb2 files as used by Cyrus SASL.
+ 6. OpenSSL now supports TLS1.1 and TLS1.2 with OpenSSL 1.0.1. + + Avoid release 1.0.1a if you can. Note that the default value of + "openssl_options" is no longer "+dont_insert_empty_fragments", as that + increased susceptibility to attack. This may still have interoperability + implications for very old clients (see version 4.31 change 37) but + administrators can choose to make the trade-off themselves and restore + compatibility at the cost of session security. +
Version 4.77 ------------ diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt index 5313fd1..b10f3f1 100644 --- a/doc/doc-txt/OptionLists.txt +++ b/doc/doc-txt/OptionLists.txt @@ -373,7 +373,7 @@ once string* unset autoreply once_file_size integer 0 autoreply 3.20 once_repeat time 0s autoreply 2.95 one_time boolean false redirect 4.00 -openssl_options string "+dont_insert_empty_fragments" main 4.73 +openssl_options string unset main 4.73 default to unset in 4.78 optional boolean false iplookup 4.00 oracle_servers string unset main 4.00 owners string list unset redirect 4.00 diff --git a/src/README.UPDATING b/src/README.UPDATING index 3dff7c0..5b6bea8 100644 --- a/src/README.UPDATING +++ b/src/README.UPDATING @@ -47,6 +47,22 @@ Exim version 4.78
"openssl_options" gains "no_tlsv1_1", "no_tlsv1_2" and "no_compression".
+ COMPATIBILITY WARNING: The default value of "openssl_options" is no longer + "+dont_insert_empty_fragments". We default to unset. That old default was + grandfathered in from before openssl_options became a configuration option. + Empty fragments are inserted by default through TLS1.0, to partially defend + against certain attacks; TLS1.1+ change the protocol so that this is not + needed. The DIEF SSL option was required for some old releases of mail + clients which did not gracefully handle the empty fragments, and was + initially set in Exim release 4.31 (see ChangeLog, item 37). + + If you still have affected mail-clients, and you see SSL protocol failures + with this release of Exim, set: + openssl_options = +dont_insert_empty_fragments + in the main section of your Exim configuration file. You're trading off + security for compatibility. Exim is now defaulting to higher security and + rewarding more modern clients. + * Ldap lookups returning multi-valued attributes now separate the attributes with only a comma, not a comma-space sequence. Also, an actual comma within a returned attribute is doubled. This makes it possible to parse the diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index e2e150c..5e8c804 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -695,7 +695,19 @@ else if (verify_check_host(&tls_try_verify_hosts) == OK) /* Prepare for new connection */
|This message was posted to the following mailing lists:|
Mailing List Info | Nearby Messages
|[exim-cvs] LDAP: Check for errors of TLS initialisation||[exim-cvs] spurious compiler warning of unused var fix|
|Tahini and Hummus Development Archives administrated by Hummus Admins||Lurker (version 2.3)|