gnutls 2.9.10 breaks exim4 TLS (Denying unsafe (re)negotiation.)

Andreas Metzler ametzler at downhill.at.eu.org
Sat May 8 10:46:29 CEST 2010


On 2010-05-08 Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:
[...]
> How easy would it be for exim to use gnutls_priority_* functions? The
> others have been deprecated for quite a time. Moreover it would be
> easier for exim to setup a configuration string for the
> priority_set_direct function.
[...]

Hello,
Doable, but not without pain. Exim exposes the gnutls_priority_*
functions to the user (see options tls_require_ciphers et al in
http://docs.exim.org/current/spec_html/ch39.html#SECTreqciphgnu)
switching would cause an configuration file syntax change. - It could
either ignore the old settings while still warning about them or
throw an error (invalid setting).

FWIW I think my guess was correct, after making the following change to
exim the session succeeds.
-----------------------------------
--- exim4-4.71.orig/src/tls-gnu.c
+++ exim4-4.71/src/tls-gnu.c
@@ -780,11 +780,15 @@ if ((expciphers != NULL &&
 
 /* Define the various priorities */
 
-gnutls_cipher_set_priority(session, cipher_priority);
+/* gnutls_cipher_set_priority(session, cipher_priority);
 gnutls_compression_set_priority(session, comp_priority);
 gnutls_kx_set_priority(session, kx_priority);
 gnutls_protocol_set_priority(session, proto_priority);
-gnutls_mac_set_priority(session, mac_priority);
+gnutls_mac_set_priority(session, mac_priority); */
+
+fprintf (stderr, "amdebug 1 different priority stuff\n");
+gnutls_priority_set_direct (session, "NORMAL", NULL);
+fprintf (stderr, "amdebug 1                          done\n");
 
 gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
-----------------------------------

cu andreas





More information about the Gnutls-devel mailing list