[exim-cvs] Support safari_ecdhe_ecdsa_bug for openssl_option…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Exim Git Commits Mailing List
Dátum:  
Címzett: exim-cvs
Tárgy: [exim-cvs] Support safari_ecdhe_ecdsa_bug for openssl_options
Gitweb: http://git.exim.org/exim.git/commitdiff/e2fbf4a211bdcff441c50f58f3c1f1fb17f56d61
Commit:     e2fbf4a211bdcff441c50f58f3c1f1fb17f56d61
Parent:     d13cdd3049b0191bbb275f9a6cf11dc0917a1f0c
Author:     Phil Pennock <pdp@???>
AuthorDate: Sun Jun 16 21:32:11 2013 -0400
Committer:  Phil Pennock <pdp@???>
CommitDate: Sun Jun 16 21:32:11 2013 -0400


    Support safari_ecdhe_ecdsa_bug for openssl_options
---
 doc/doc-docbook/spec.xfpt |   11 +++++++++++
 doc/doc-txt/ChangeLog     |    4 ++++
 src/src/tls-openssl.c     |    7 ++++++-
 3 files changed, 21 insertions(+), 1 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 56ce069..29214e3 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -14742,6 +14742,8 @@ Possible options may include:
.next
&`no_tlsv1_2`&
.next
+&`safari_ecdhe_ecdsa_bug`&
+.next
&`single_dh_use`&
.next
&`single_ecdh_use`&
@@ -14757,6 +14759,15 @@ Possible options may include:
&`tls_rollback_bug`&
.endlist

+.new
+As an aside, the &`safari_ecdhe_ecdsa_bug`& item is a misnomer and affects
+all clients connecting using the MacOS SecureTransport TLS facility prior
+to MacOS 10.8.4, including email clients. If you see old MacOS clients failing
+to negotiate TLS then this option value might help, provided that your OpenSSL
+release is new enough to contain this work-around. This may be a situation
+where you have to upgrade OpenSSL to get buggy clients working.
+.wen
+

 .option oracle_servers main "string list" unset
 .cindex "Oracle" "server list"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index d84e2aa..f9a3767 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -205,6 +205,10 @@ PP/21 Fix eximon continuous updating with timestamped log-files.
 PP/22 Guard LDAP TLS usage against Solaris LDAP variant.
       Report from Prashanth Katuri.


+PP/23 Support safari_ecdhe_ecdsa_bug for openssl_options.
+      It's SecureTransport, so affects any MacOS clients which use the
+      system-integrated TLS libraries, including email clients.
+


Exim version 4.80.1
-------------------
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 6f2646f..b273fff 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2061,7 +2061,9 @@ all options unless explicitly for DTLS, let the administrator choose which
to apply.

This list is current as of:
- ==> 1.0.1b <== */
+ ==> 1.0.1b <==
+Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
+*/
static struct exim_openssl_option exim_openssl_options[] = {
/* KEEP SORTED ALPHABETICALLY! */
#ifdef SSL_OP_ALL
@@ -2126,6 +2128,9 @@ static struct exim_openssl_option exim_openssl_options[] = {
#ifdef SSL_OP_NO_TLSv1_2
{ US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
#endif
+#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
+ { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
+#endif
#ifdef SSL_OP_SINGLE_DH_USE
{ US"single_dh_use", SSL_OP_SINGLE_DH_USE },
#endif