On Wed, Oct 04, 2023 at 09:39:44PM +0000, Exim Bugzilla via Exim-dev wrote:
> The SSL_OP_NO_EXTENDED_MASTER_SECRET and SSL_OP_IGNORE_UNEXPECTED_EOF options > were added in OpenSSL 3.0 > > https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html > > As far as I can see, Exim does not yet support both options > However, there's no good reason to disable EMS, it improves security with no known downside: https://www.ietf.org/rfc/rfc7627.html As for SSL_OP_IGNORE_UNEXPECTED_EOF, this should be always turned on internally in Exim, without users having to do it themselves. SMTP has application-layer framing and does not need TLS to disambiguate message boundaries. Though Postfix precedent may not be entirely compelling here, FWIW: 20230115 Workaround for a breaking change in OpenSSL 3: always turn on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages and missed opportunities for TLS session reuse. This is safe because the SMTP protocol implements application-level framing, and is therefore not affected by TLS truncation attacks. Fix by Viktor Dukhovni. Files: tls/tls.h, tls_client.c, tls/tls_server.c. -- Viktor. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/ ## unsubscribe (doesn't require an account): ## [email protected] ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
