On 2012-05-03 at 06:21 -0700, Phil Pennock wrote:
> OpenSSL 1.0.1 adds support for TLS1.1 and TLS1.2.  It is also not
> working with Exim at present!

> I'm currently talking with the OpenSSL developers over on the
> openssl-users mailing-list, trying to figure out what's happened.  I
> think I've narrowed down the line of code in Exim which causes things to
> go horribly wrong, but don't yet know *why* it's going wrong.

That thread didn't go much of anywhere.  However: removing a call to
SSL_clear() got basic interop working.

My setting SSL_MODE_AUTO_RETRY in the context got basic renegotiation
working, for TLS1.0.

This fix to OpenSSL (1.0.0c, will be in d):
  http://cvs.openssl.org/chngview?cn=22565

gets renegotiation working for TLS 1.1 and 1.2; without that,
renegotiation is clamped to TLS1.0 and fails.

I can confirm that with a fixed OpenSSL library, TLS renegotiation works
fine with Exim master head, including in combination with SNI.  We're in
a stronger situation there.

My GnuTLS revamp is in progress; alas, it's more laborious than expected
since the documentation is for GnuTLS 3, but the OS vendors have stuck
to GnuTLS 2.  Perhaps not unrelated to 3 being released with the
tarballs being only available in two non-profilic compression schemes
(.xz and .lz), dropping both .gz and .bz2.  *sigh*  I do want to get rid
of the API deprecation warnings (even with 2), and get SNI support in
there, for feature parity.

-Phil

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Reply via email to