[exim-cvs] Add documentation

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Exim Git Commits Mailing List
Ημερομηνία:  
Προς: exim-cvs
Αντικείμενο: [exim-cvs] Add documentation
Gitweb: http://git.exim.org/exim.git/commitdiff/214042d23115fe1353ee41041ec91a9dbba3b23d
Commit:     214042d23115fe1353ee41041ec91a9dbba3b23d
Parent:     a63be306e4bcb803e7aa3ab673a2e1d867adaaba
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Mar 15 12:29:31 2014 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sat Mar 15 12:29:31 2014 +0000


    Add documentation
---
 doc/doc-docbook/spec.xfpt |   28 ++++++++++++++++++++++++++++
 doc/doc-txt/ChangeLog     |    2 ++
 doc/doc-txt/NewStuff      |    5 +++++
 3 files changed, 35 insertions(+), 0 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index edb577a..748f5c9 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -23018,6 +23018,14 @@ unknown state), opens a new one to the same host, and then tries the delivery
in clear.


+.option tls_try_verify_hosts smtp "host list&!! unset
+.cindex "TLS" "server certificate verification"
+.cindex "certificate" "verification of server"
+For OpenSSL only, this option gives a list of hosts for which
+certificate verification will be tried but need not succeed.
+The &%tls_verify_certificates%& option must also be set.
+
+
.option tls_verify_certificates smtp string&!! unset
.cindex "TLS" "server certificate verification"
.cindex "certificate" "verification of server"
@@ -23032,6 +23040,20 @@ single file if you are using GnuTLS. The values of &$host$& and
&$host_address$& are set to the name and address of the server during the
expansion of this option. See chapter &<<CHAPTLS>>& for details of TLS.

+For back-compatability, or when GnuTLS is used,
+if neither tls_verify_hosts nor tls_try_verify_hosts are set
+and certificate verification fails the TLS connection is closed.
+
+
+.option tls_verify_hosts smtp "host list&!! unset
+.cindex "TLS" "server certificate verification"
+.cindex "certificate" "verification of server"
+For OpenSSL only, this option gives a list of hosts for which
+certificate verification must succeed.
+The &%tls_verify_certificates%& option must also be set.
+If both this option and &%tls_try_verify_hosts%& are unset
+operation is as if this option selected all hosts.
+



@@ -25933,6 +25955,12 @@ for OpenSSL only (not GnuTLS), a directory, that contains a collection of
expected server certificates. The client verifies the server's certificate
against this collection, taking into account any revoked certificates that are
in the list defined by &%tls_crl%&.
+Failure to verify fails the TLS connection unless either of the
+&%tls_verify_hosts%& or &%tls_try_verify_hosts%& options are set.
+
+The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict
+certificate verification to the listed servers. Verification either must
+or need not succeed respectively.

 If
 &%tls_require_ciphers%& is set on the &(smtp)& transport, it must contain a
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index d5c09f4..c1640f7 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -32,6 +32,8 @@ JH/02 Add ${listextract {number}{list}{success}{fail}}.
 TL/03 Bugzilla 1433: Fix DMARC SEGV with specific From header contents.
       Properly escape header and check for NULL return.


+JH/03 Add tls_{,try_}verify_hosts to smtp transport. OpenSSL only.
+

 Exim version 4.82
 -----------------
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 11cfcff..e4f2e29 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -14,6 +14,11 @@ Version 4.83
     actual external source IP:host be used in exim instead of the IP of the
     proxy that is connecting to it.


+ 2. When built with OpenSSL the smtp transport now supports options
+    "tls_verify_hosts" and "tls_try_verify_hosts".  If either is set the
+    certificate verification is split from the encryption operation. The
+    default remains that a failed verification cancels the encryption.
+


Version 4.82
------------