On 2021-09-18 Sabahattin Gucukoglu via Exim-users <[email protected]> wrote: > Debian always builds Exim against GnuTLS, in its “heavy” variation, > but I’ve always resisted by building against OpenSSL (and, > incidentally, taken the time to tweak it for me). On the face of it > that’s fine, except …
> Is there really a good reason? I do it chiefly because I like > OpenSSL’s cipher selection (I want very permissive, ordered by > @STRENGTH, and TLS 1.3 would be nice). There were also horror stories > about RNG entropy starvation caused by GnuTLS. > It’s tedious. I don’t put compilers on my server, and I don’t much > enjoy setting up a build environment just to compile Exim against > stable libraries and headers. It also makes upgrading much harder. [...] Hello, imho exim linked against GnuTLS is perfectly adequate for a quiet personal server. I have been using it for ages. FWIW I also do not fiddle with TLS cipher selection on my server. GnuTLS defaults are supposed to be sane, and its author know a lot more about encryption than I do. Debian links exim against GnuTLS mainly for historic reasons. OpenSSL's license (pre 3.0.0) is gpl incompatible and at the point in time we looked at it some of the libraries we wanted to link (indirectly) against were GPL without OpenSSL-exception. cu Andreas -- `What a good friend you are to him, Dr. Maturin. His other friends are so grateful to you.' `I sew his ears on from time to time, sure' -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
