Re: [exim-dev] Avoid OpenSSL 1.0.1 for Exim, for now

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-dev
Subject: Re: [exim-dev] Avoid OpenSSL 1.0.1 for Exim, for now
On 2012-05-03 at 06:21 -0700, Phil Pennock wrote:
> OpenSSL 1.0.1 adds support for TLS1.1 and TLS1.2. It is also not
> working with Exim at present!


> I'm currently talking with the OpenSSL developers over on the
> openssl-users mailing-list, trying to figure out what's happened. I
> think I've narrowed down the line of code in Exim which causes things to
> go horribly wrong, but don't yet know *why* it's going wrong.


That thread didn't go much of anywhere. However: removing a call to
SSL_clear() got basic interop working.

My setting SSL_MODE_AUTO_RETRY in the context got basic renegotiation
working, for TLS1.0.

This fix to OpenSSL (1.0.0c, will be in d):
http://cvs.openssl.org/chngview?cn=22565

gets renegotiation working for TLS 1.1 and 1.2; without that,
renegotiation is clamped to TLS1.0 and fails.

I can confirm that with a fixed OpenSSL library, TLS renegotiation works
fine with Exim master head, including in combination with SNI. We're in
a stronger situation there.

My GnuTLS revamp is in progress; alas, it's more laborious than expected
since the documentation is for GnuTLS 3, but the OS vendors have stuck
to GnuTLS 2. Perhaps not unrelated to 3 being released with the
tarballs being only available in two non-profilic compression schemes
(.xz and .lz), dropping both .gz and .bz2. *sigh* I do want to get rid
of the API deprecation warnings (even with 2), and get SNI support in
there, for feature parity.

-Phil