From: Nigel Metheringham Date: Fri, 16 Oct 2009 09:51:12 +0000 (+0000) Subject: gnutls_compat_mode to allow compatibility with broken clients. fixes: #665 X-Git-Tag: exim-4_70_RC3~35 X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=e6060e2ce135caa2d48e682c4d76d071ff760a30;p=exim.git gnutls_compat_mode to allow compatibility with broken clients. fixes: #665 --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index db8de0805..9541d6e06 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -1,4 +1,4 @@ -. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.58 2009/10/16 08:52:05 tom Exp $ +. $Cambridge: exim/doc/doc-docbook/spec.xfpt,v 1.59 2009/10/16 09:51:12 nm4 Exp $ . . ///////////////////////////////////////////////////////////////////////////// . This is the primary source of the Exim Manual. It is an xfpt document that is @@ -12368,6 +12368,7 @@ listed in more than one group. .row &%gnutls_require_kx%& "control GnuTLS key exchanges" .row &%gnutls_require_mac%& "control GnuTLS MAC algorithms" .row &%gnutls_require_protocols%& "control GnuTLS protocols" +.row &%gnutls_compat_mode%& "use GnuTLS compatibility mode" .row &%tls_advertise_hosts%& "advertise TLS to these hosts" .row &%tls_certificate%& "location of server certificate" .row &%tls_crl%& "certificate revocation list" @@ -13367,6 +13368,11 @@ server. For details, see section &<>&. This option controls the protocols when GnuTLS is used in an Exim server. For details, see section &<>&. +.option gnutls_compat_mode main boolean unset +This option controls whether GnuTLS is used in compatibility mode in an Exim +server. This reduces security slightly, but improves interworking with older +implementations of TLS. + .option headers_charset main string "see below" This option sets a default character set for translating from encoded MIME @@ -21467,6 +21473,11 @@ client. For details, see section &<>&. This option controls the protocols when GnuTLS is used in an Exim client. For details, see section &<>&. +.option gnutls_compat_mode main boolean unset +This option controls whether GnuTLS is used in compatibility mode in an Exim +server. This reduces security slightly, but improves interworking with older +implementations of TLS. + .option helo_data smtp string&!! "see below" .cindex "HELO" "argument, setting" .cindex "EHLO" "argument, setting" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index e7db60003..6153e000b 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.569 2009/10/14 14:48:41 nm4 Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.570 2009/10/16 09:51:12 nm4 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -111,6 +111,9 @@ NM/19 Bugzilla 745: TLS version reporting NM/20 Bugzilla 167: bool: condition support Patch provided by Phil Pennock +NM/21 Bugzilla 665: gnutls_compat_mode to allow compatibility with broken clients + Patch provided by Phil Pennock + Exim version 4.69 ----------------- diff --git a/src/src/globals.c b/src/src/globals.c index 98e1da5d6..b40e8e9dc 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/globals.c,v 1.84 2009/10/15 08:27:37 tom Exp $ */ +/* $Cambridge: exim/src/src/globals.c,v 1.85 2009/10/16 09:51:12 nm4 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -111,6 +111,7 @@ uschar *tls_on_connect_ports = NULL; uschar *tls_peerdn = NULL; #ifdef SUPPORT_TLS +BOOL gnutls_compat_mode = FALSE; uschar *gnutls_require_mac = NULL; uschar *gnutls_require_kx = NULL; uschar *gnutls_require_proto = NULL; diff --git a/src/src/globals.h b/src/src/globals.h index 04a030bab..a50d1b469 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/globals.h,v 1.65 2009/10/15 08:27:37 tom Exp $ */ +/* $Cambridge: exim/src/src/globals.h,v 1.66 2009/10/16 09:51:12 nm4 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -71,6 +71,7 @@ extern uschar *tls_on_connect_ports; /* Ports always tls-on-connect */ extern uschar *tls_peerdn; /* DN from peer */ #ifdef SUPPORT_TLS +extern BOOL gnutls_compat_mode; /* Less security, more compatibility */ extern uschar *gnutls_require_mac; /* So some can be avoided */ extern uschar *gnutls_require_kx; /* So some can be avoided */ extern uschar *gnutls_require_proto; /* So some can be avoided */ diff --git a/src/src/readconf.c b/src/src/readconf.c index 1651ecc6a..c836d37eb 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/readconf.c,v 1.37 2009/10/16 08:51:34 tom Exp $ */ +/* $Cambridge: exim/src/src/readconf.c,v 1.38 2009/10/16 09:51:12 nm4 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -235,6 +235,7 @@ static optionlist optionlist_config[] = { { "gecos_name", opt_stringptr, &gecos_name }, { "gecos_pattern", opt_stringptr, &gecos_pattern }, #ifdef SUPPORT_TLS + { "gnutls_compat_mode", opt_bool, &gnutls_compat_mode }, { "gnutls_require_kx", opt_stringptr, &gnutls_require_kx }, { "gnutls_require_mac", opt_stringptr, &gnutls_require_mac }, { "gnutls_require_protocols", opt_stringptr, &gnutls_require_proto }, diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index c26a9bac6..0e90b7908 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/tls-gnu.c,v 1.22 2009/10/14 13:52:48 nm4 Exp $ */ +/* $Cambridge: exim/src/src/tls-gnu.c,v 1.23 2009/10/16 09:51:12 nm4 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -792,6 +792,18 @@ if (verify_requirement != VERIFY_NONE) gnutls_db_set_cache_expiration(session, ssl_session_timeout); +/* Reduce security in favour of increased compatibility, if the admin +decides to make that trade-off. */ +if (gnutls_compat_mode) + { +#if LIBGNUTLS_VERSION_NUMBER >= 0x020104 + DEBUG(D_tls) debug_printf("lowering GnuTLS security, compatibility mode\n"); + gnutls_session_enable_compatibility_mode(session); +#else + DEBUG(D_tls) debug_printf("Unable to set gnutls_compat_mode - GnuTLS version too old\n"); +#endif + } + DEBUG(D_tls) debug_printf("initialized GnuTLS session\n"); return session; }