[exim-dev] [Bug 1170] New: SSL fingerprint should be made accessible
--- You are receiving this mail because: --- You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=1170 Summary: SSL fingerprint should be made accessible Product: Exim Version: 4.77 Platform: All OS/Version: All Status: NEW Severity: wishlist Priority: medium Component: TLS AssignedTo: ni...@exim.org ReportedBy: bjo...@j3e.de CC: exim-dev@exim.org currently it is not possible with Exim to tell it what a certain domain's mail server's SSL fingerprint is. Today it is only possible to trust servers by trusting one or multiple CAs, that have signed their certificates. For security resons it would be *very* good if you could tell exim that the mail server mail.example.com has a certail SSL fingerprint and that only *that* fingerprint is the right one for that domain. This is also important to prevent attacks from people who got spurious access to one of the trusted CAs. Postfix has very advanced tls support, here is the documentation of the above mentioned fingerprint checking in postfix: http://www.postfix.org/TLS_README.html#client_tls_fprint maybe you can get some inspirations from that ... -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[exim-dev] [Bug 1095] Uses (soon to be) deprecated GnuTLS functions
--- You are receiving this mail because: --- You are on the CC list for the bug. http://bugs.exim.org/show_bug.cgi?id=1095 --- Comment #4 from Christof Meerwald cme...@cmeerw.org 2011-10-22 14:09:46 --- Created an attachment (id=509) -- (http://bugs.exim.org/attachment.cgi?id=509) Update exim gnutls support This patch replaces tls_require_ciphers, gnutls_require_kx, gnutls_require_mac and gnutls_require_protocols with gnutls_priority (which is passed directly to gnutls_priority_set_direct). The name of the gnutls-params file is now configurable via tls_dhparam (similar to OpenSSL). Added an option gnutls_require_dh_bits (to avoid passing a hardcoded value to gnutls_dh_set_prime_bits). Uses gnutls_sec_param_to_pk_bits (for GnuTLS = 2.12) to get the number of bits to pass to gnutls_dh_params_generate2 (instead of a hardcoded value). I don't expect this patch to be the final version, but rather as a basis for further discussions. -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##