From e2fbf4a211bdcff441c50f58f3c1f1fb17f56d61 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Sun, 16 Jun 2013 21:32:11 -0400 Subject: [PATCH] Support safari_ecdhe_ecdsa_bug for openssl_options --- doc/doc-docbook/spec.xfpt | 11 +++++++++++ doc/doc-txt/ChangeLog | 4 ++++ src/src/tls-openssl.c | 7 ++++++- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 56ce0693b..29214e3e1 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -14742,6 +14742,8 @@ Possible options may include: .next &`no_tlsv1_2`& .next +&`safari_ecdhe_ecdsa_bug`& +.next &`single_dh_use`& .next &`single_ecdh_use`& @@ -14757,6 +14759,15 @@ Possible options may include: &`tls_rollback_bug`& .endlist +.new +As an aside, the &`safari_ecdhe_ecdsa_bug`& item is a misnomer and affects +all clients connecting using the MacOS SecureTransport TLS facility prior +to MacOS 10.8.4, including email clients. If you see old MacOS clients failing +to negotiate TLS then this option value might help, provided that your OpenSSL +release is new enough to contain this work-around. This may be a situation +where you have to upgrade OpenSSL to get buggy clients working. +.wen + .option oracle_servers main "string list" unset .cindex "Oracle" "server list" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index d84e2aa5d..f9a376779 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -205,6 +205,10 @@ PP/21 Fix eximon continuous updating with timestamped log-files. PP/22 Guard LDAP TLS usage against Solaris LDAP variant. Report from Prashanth Katuri. +PP/23 Support safari_ecdhe_ecdsa_bug for openssl_options. + It's SecureTransport, so affects any MacOS clients which use the + system-integrated TLS libraries, including email clients. + Exim version 4.80.1 ------------------- diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 6f2646f03..b273fff75 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -2061,7 +2061,9 @@ all options unless explicitly for DTLS, let the administrator choose which to apply. This list is current as of: - ==> 1.0.1b <== */ + ==> 1.0.1b <== +Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev +*/ static struct exim_openssl_option exim_openssl_options[] = { /* KEEP SORTED ALPHABETICALLY! */ #ifdef SSL_OP_ALL @@ -2126,6 +2128,9 @@ static struct exim_openssl_option exim_openssl_options[] = { #ifdef SSL_OP_NO_TLSv1_2 { US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 }, #endif +#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG + { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG }, +#endif #ifdef SSL_OP_SINGLE_DH_USE { US"single_dh_use", SSL_OP_SINGLE_DH_USE }, #endif -- 2.25.1