On 29/03/18 04:08, Phil Pennock via Exim-dev wrote: > I've written support for a new SMTP Transport option > dane_require_tls_ciphers which is like tls_require_ciphers but is used > in _preference_ to tls_require_ciphers when DANE enabled. > > This seemed much saner than requiring lots of conditional logic, > especially since we already ignore most of the TLS options once DANE is > in play anyway. > > I wrote code for OpenSSL and GnuTLS and tested compilation with OpenSSL. > > I wrote docs. I did not write tests, I'm way out of practice on the > Exim test suite. > > Pushed to dane_require_tls_ciphers in the main git repo.
The coding is nicely selfcontained, and at a quick glance should do the job. I'm unsure about the philosophy of the interface; having one option override another. You mentioned "complex expansions" before in the discussion but without detail. I assume that's the same consideration as "lots of conditional logic" above. Was that discarding the solution of dnsdb-lookup expansions selecting values for the original tls_require_ciphers option? > Jeremy, does this look mergeable/sane? Did we get as far as pre-merge > testing at any point, rather than post-merge testing? I'd prefer testing was in place before merge if at all possible. Certainly in place before it hits a release. > What sort of coverage do we need from tests? It's honestly going to be > faster if someone else writes them I'll have a go, planning to push into the dane_require_tls_ciphers branch. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
