Re: [exim] Exim 4.93 Received Header tls clause

Góra strony
Delete this message
Reply to this message
Autor: Viktor Dukhovni
Data:  
Dla: exim-users
Temat: Re: [exim] Exim 4.93 Received Header tls clause
On Wed, Nov 13, 2019 at 06:27:42PM +0100, Wolfgang Breyha via Exim-users wrote:

> While testing 4.93-RCx I recognized that it uses a new default for Received:
> headers including TLS information as RFC 8314 defines it using
> by <hostname> with esmtps tls TLS_AES_256_GCM_SHA384
> instead of
> by <hostname> with esmtps (TLSv1.3:TLS_AES_256_GCM_SHA384:256)
>
> Am I the only one missing the TLS Version? Yes, RFC 8314 failed to define the
> "tls clause" to include it while defining optional "group" information.
>
> I think it's no good idea to change the default in favor of that RFC while
> dropping important information like the TLS Version used.


I agree that the new format is inadequate, especially for TLS 1.3.
In Postfix I've kept, and even expanded the "comment" form of the
TLS trace info. For example:

    Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
        key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        ...


If a client certificate were also used, there'd be additional
key-value pairs for the client signature and client digest (except
with ed25519 and ed448, which don't use a digest).

-- 
    Viktor.