Author: Jeremy Harris Date: To: exim-users Subject: Re: [exim] TLS renegotiation CVE-2011-1473 BUG
On 20/06/16 07:18, Sandeep Singh wrote: > I want to fix the TLS renegotiation in exim ( CVE-2011-1473 ). I tried a
> lot but not able to find the right option in exim.conf.
There isn't one.
>From the CVE description it isn't clear that it's worth addressing. It looks like the coding required is to add a callback for a
(re)negotiation event, failing any but the first (or possibly
rate_limiting them). Quite a lot of complexity for an attack just
as simply done by multiple connections. Admittedly the latter
has more visibility to admins.
--
Cheers,
Jeremy