Folks, Historically, when setting up an SSL session using OpenSSL, Exim has supplied the SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option, because an administrator who needed it supplied the patch.
I've just committed code which adds a new "openssl_options" option to the main config. The default value of this preserves the old behaviour, because changing it would mean that theoretically some setups which used to work would then stop working. I would like to change the default, to not set any options by default. This is not just a desire for cleanliness -- the option is disabling a security countermeasure. Is there anyone here who knows that they support ancient buggy devices which need this option set? The most administrator friendly approach going forward is probably going to be to let Exim 4.73 go out with this new option with the current default and then have Exim 4.74 change the default to be no value, so that people have a time to set the desired behaviour explicitly in their configs so that they don't have to keep config and software version in lockstep as they roll out a release. Does anyone here have strong opinions on this? If you want to trial this, you can build from HEAD (or wait for 4.73, at some point in the future, no timeline yet) and set: openssl_options = -all Thanks, -Phil -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
