Re: [exim] [exim-dev] Exim 4.87 RC3 uploaded

Top Page

Reply to this message
Author: The Doctor
To: Jeremy Harris
CC: exim users,, exim-maintainers
Subject: Re: [exim] [exim-dev] Exim 4.87 RC3 uploaded
On Mon, Jan 18, 2016 at 06:00:09PM +0000, Jeremy Harris wrote:
> Hash: SHA256
> The ftp site:
> now has RC3 of Exim 4.87 available. Built and
> signed by myself.
> Changes of interest since RC2:
> - - DKIM: fix quoted-printable decode
> - - Malware: Fix potential spin-on-read-error with kavdaemon
> - - dnslists: permit use with explicit key(s) in nonsmtp ACLs. Bug 1748
> - - Pretty print for -bP config
> - - Consolidate base64 encode/decode routines
> - - New expansion operator base64d, and base64 as synonym for str2b64. Bug 1746
> - - Support certificates in base64 expansion operator. Bug 1762
> - - DKIM: use TLS library where possible in preference to embedded PolarSSL copy
> - - add requirement on good HELO in the example configuration
> - - OpenSSL: Default the SINGLE_DH_USE option flag set
> - - Expansions: fix memory-usage bug in ${run }. Bug 1778
> - - Permit an ACL to override the default 252 VRFY response. Bug 1769
> - - Restrict line lengths in bounces. Bug 1760
> No feature-introductions will be accepted in the mainline code branch
> between now and 4.87 final release. Bug fixes are still welcome.
> Please report issues here in the exim-dev or
> exim-users mailinglist, or by raising bugs
> on http://bugs.exim/org

openssl 1.1 concern

gcc tls.c
In file included from tls.c:124:
tls-openssl.c: In function `rsa_callback':
tls-openssl.c:247: warning: `RSA_generate_key' is deprecated (declared at /usr/contrib/include/openssl/rsa.h:322)
tls-openssl.c: In function `tls_client_stapling_cb':
tls-openssl.c:1191: dereferencing pointer to incomplete type
In file included from tls.c:124:
tls-openssl.c: In function `vaguely_random_number':
tls-openssl.c:2560: warning: `RAND_pseudo_bytes' is deprecated (declared at /usr/contrib/include/openssl/rand.h:98)
*** Error code 1

*** Error code 1


concern 3 RAND_pseudo_bytes should be replaced by RAND_bytes in OpenSSL 1.1

concern 1

man RSA_generate_key_ex
man: Formatting manual page...

RSA_generate_key(3)          OpenSSL          RSA_generate_key(3)

       RSA_generate_key_ex, RSA_generate_key - generate RSA key

        #include <openssl/rsa.h>

        int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);


        #if OPENSSL_API_COMPAT < 0x00908000L
        RSA *RSA_generate_key(int num, unsigned long e,
           void (*callback)(int,int,void *), void *cb_arg);

       RSA_generate_key_ex() generates a key pair and stores it
       in the RSA structure provided in rsa. The pseudo-random
       number generator must be seeded prior to calling

       The modulus size will be of length bits, and the public
       exponent will be e. Key sizes with num < 1024 should be
       considered insecure.  The exponent is an odd number,
       typically 3, 17 or 65537.

       A callback function may be used to provide feedback about
       the progress of the key generation. If cb is not NULL, it
       will be called as follows using the BN_GENCB_call()
       function described on the BN_generate_prime(3) page.

       o   While a random prime number is generated, it is called
           as described in BN_generate_prime(3).

       o   When the n-th randomly generated prime is rejected as
           not suitable for the key, BN_GENCB_call(cb, 2, n) is

       o   When a random p has been found with p-1 relatively
           prime to e, it is called as BN_GENCB_call(cb, 3, 0).

       The process is then repeated for prime q with
       BN_GENCB_call(cb, 3, 1).

       RSA_generate_key is deprecated (new applications should
       use RSA_generate_key_ex instead). RSA_generate_key works
       in the same was as RSA_generate_key_ex except it uses "old    
       style" call backs. See BN_generate_prime(3) for further

       If key generation fails, RSA_generate_key() returns NULL.

1.1.0-pre3-dev              2016-01-18                          1

RSA_generate_key(3)          OpenSSL          RSA_generate_key(3)

       The error codes can be obtained by ERR_get_error(3).

       BN_GENCB_call(cb, 2, x) is used with two different

       RSA_generate_key() goes into an infinite loop for illegal
       input values.

       ERR_get_error(3), rand(3), rsa(3), RSA_free(3),

1.1.0-pre3-dev              2016-01-18                          2    

Any work around?

Concern 2

STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;

Why does this happen under OpenSSL 1.1 ?

Member - Liberal International This is Ici
God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism
Birthdate 29 Jan 1969 Redhill, Surrey, UK