On 2018-12-14 at 17:22 +0000, Jeremy Harris via Exim-users wrote:
> Possibly the main-config option openssl_options?
>
> The docs list possibilities including
> no_tlsv1
> no_tlsv1_1
>
> so I'd be tempted to try those without the "no_".
Alas, no. You'd want `-no_tlsv1` but I doubt that works here: OpenSSL
is using an orthogonal set of tuning options.
The problem is that the system is using the new OpenSSL configuration
system which is not supported by LibreSSL, so until now we've avoided
it.
This config file is much simpler to support than "moving the TLS
configuration inside the Exim config file". Pretty much we'd want to
use the `SSL_CTX_config()` library call inside Exim's
`tls-openssl.c:tls_init()`, guarded by some macro to protect against
LibreSSL/BoringSSL/whatever.
if (!SSL_CTX_config(ctx, "exim")) {
handle_failure_accordingly();
}
Bonus points for copying the `tcp_wrappers_daemon_name` pattern and
making `"exim"` the default which can be overridden by an administrator.
(I'm not volunteering to do this, I'm busy)
-Phil
