On Wed, Oct 04, 2023 at 09:39:44PM +0000, Exim Bugzilla via Exim-dev wrote:
> The SSL_OP_NO_EXTENDED_MASTER_SECRET and SSL_OP_IGNORE_UNEXPECTED_EOF options
> were added in OpenSSL 3.0
>
> https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html
>
> As far as I can see, Exim does not yet support both options
>
However, there's no good reason to disable EMS, it improves security
with no known downside:
https://www.ietf.org/rfc/rfc7627.html
As for SSL_OP_IGNORE_UNEXPECTED_EOF, this should be always turned on
internally in Exim, without users having to do it themselves. SMTP has
application-layer framing and does not need TLS to disambiguate message
boundaries.
Though Postfix precedent may not be entirely compelling here, FWIW:
20230115
Workaround for a breaking change in OpenSSL 3: always turn
on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages
and missed opportunities for TLS session reuse. This is
safe because the SMTP protocol implements application-level
framing, and is therefore not affected by TLS truncation
attacks. Fix by Viktor Dukhovni. Files: tls/tls.h, tls_client.c,
tls/tls_server.c.
--
Viktor.
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
