On 2012-05-03 at 06:21 -0700, Phil Pennock wrote: > OpenSSL 1.0.1 adds support for TLS1.1 and TLS1.2. It is also not > working with Exim at present!
> I'm currently talking with the OpenSSL developers over on the > openssl-users mailing-list, trying to figure out what's happened. I > think I've narrowed down the line of code in Exim which causes things to > go horribly wrong, but don't yet know *why* it's going wrong. That thread didn't go much of anywhere. However: removing a call to SSL_clear() got basic interop working. My setting SSL_MODE_AUTO_RETRY in the context got basic renegotiation working, for TLS1.0. This fix to OpenSSL (1.0.0c, will be in d): http://cvs.openssl.org/chngview?cn=22565 gets renegotiation working for TLS 1.1 and 1.2; without that, renegotiation is clamped to TLS1.0 and fails. I can confirm that with a fixed OpenSSL library, TLS renegotiation works fine with Exim master head, including in combination with SNI. We're in a stronger situation there. My GnuTLS revamp is in progress; alas, it's more laborious than expected since the documentation is for GnuTLS 3, but the OS vendors have stuck to GnuTLS 2. Perhaps not unrelated to 3 being released with the tarballs being only available in two non-profilic compression schemes (.xz and .lz), dropping both .gz and .bz2. *sigh* I do want to get rid of the API deprecation warnings (even with 2), and get SNI support in there, for feature parity. -Phil -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
