[exim-dev] Re: [Bug 3035] New: Support for new SSL context o…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Viktor Dukhovni via Exim-dev
Dátum:  
Címzett: exim-dev
Tárgy: [exim-dev] Re: [Bug 3035] New: Support for new SSL context options introduced in OpenSSL 3.0
On Wed, Oct 04, 2023 at 09:39:44PM +0000, Exim Bugzilla via Exim-dev wrote:

> The SSL_OP_NO_EXTENDED_MASTER_SECRET and SSL_OP_IGNORE_UNEXPECTED_EOF options
> were added in OpenSSL 3.0
>
> https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html
>
> As far as I can see, Exim does not yet support both options
>


However, there's no good reason to disable EMS, it improves security
with no known downside:

    https://www.ietf.org/rfc/rfc7627.html


As for SSL_OP_IGNORE_UNEXPECTED_EOF, this should be always turned on
internally in Exim, without users having to do it themselves. SMTP has
application-layer framing and does not need TLS to disambiguate message
boundaries.

Though Postfix precedent may not be entirely compelling here, FWIW:

    20230115


        Workaround for a breaking change in OpenSSL 3: always turn
        on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages
        and missed opportunities for TLS session reuse. This is
        safe because the SMTP protocol implements application-level
        framing, and is therefore not affected by TLS truncation
        attacks. Fix by Viktor Dukhovni. Files: tls/tls.h, tls_client.c,
        tls/tls_server.c.


-- 
    Viktor.


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/