Re: [exim-dev] Preliminary dane_require_tls_ciphers support

On 29/03/18 04:08, Phil Pennock via Exim-dev wrote:
> I've written support for a new SMTP Transport option
> dane_require_tls_ciphers which is like tls_require_ciphers but is used
> in _preference_ to tls_require_ciphers when DANE enabled.
>
> This seemed much saner than requiring lots of conditional logic,
> especially since we already ignore most of the TLS options once DANE is
> in play anyway.
>
> I wrote code for OpenSSL and GnuTLS and tested compilation with OpenSSL.
>
> I wrote docs. I did not write tests, I'm way out of practice on the
> Exim test suite.
>
> Pushed to dane_require_tls_ciphers in the main git repo.

The coding is nicely selfcontained, and at a quick glance should do
the job.

I'm unsure about the philosophy of the interface; having one option
override another. You mentioned "complex expansions" before in the
discussion but without detail. I assume that's the same consideration
as "lots of conditional logic" above. Was that discarding the solution
of dnsdb-lookup expansions selecting values for the original
tls_require_ciphers option?


> Jeremy, does this look mergeable/sane? Did we get as far as pre-merge
> testing at any point, rather than post-merge testing?

I'd prefer testing was in place before merge if at all possible.
Certainly in place before it hits a release.

> What sort of coverage do we need from tests? It's honestly going to be
> faster if someone else writes them

I'll have a go, planning to push into the dane_require_tls_ciphers
branch.
--
Cheers,
Jeremy