Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. exim>
  3. dev
[Bug 3035] New: Support for new SSL context options introduced in OpenSSL 3.0
exim-dev at lists
Oct 4, 2023, 2:39 PM
Post #1 of 2 (95 views)
Permalink
https://bugs.exim.org/show_bug.cgi?id=3035

Bug ID: 3035
Summary: Support for new SSL context options introduced in
OpenSSL 3.0
Product: Exim
Version: 4.96+
Hardware: All
OS: All
Status: NEW
Severity: wishlist
Priority: medium
Component: TLS
Assignee: jgh146exb@wizmail.org
Reporter: ivanov17@riseup.net
CC: exim-dev@lists.exim.org

The SSL_OP_NO_EXTENDED_MASTER_SECRET and SSL_OP_IGNORE_UNEXPECTED_EOF options
were added in OpenSSL 3.0

https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html

As far as I can see, Exim does not yet support both options

https://github.com/Exim/exim/blob/8c226c7c891734a1dc98b6b1e99b7771dff853e1/src/src/tls-openssl.c

--
You are receiving this mail because:
You are on the CC list for the bug.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [Bug 3035] New: Support for new SSL context options introduced in OpenSSL 3.0 [ In reply to ]
exim-dev at lists
Oct 4, 2023, 6:16 PM
Post #2 of 2 (94 views)
Permalink
On Wed, Oct 04, 2023 at 09:39:44PM +0000, Exim Bugzilla via Exim-dev wrote:

> The SSL_OP_NO_EXTENDED_MASTER_SECRET and SSL_OP_IGNORE_UNEXPECTED_EOF options
> were added in OpenSSL 3.0
>
> https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_options.html
>
> As far as I can see, Exim does not yet support both options
>

However, there's no good reason to disable EMS, it improves security
with no known downside:

https://www.ietf.org/rfc/rfc7627.html

As for SSL_OP_IGNORE_UNEXPECTED_EOF, this should be always turned on
internally in Exim, without users having to do it themselves. SMTP has
application-layer framing and does not need TLS to disambiguate message
boundaries.

Though Postfix precedent may not be entirely compelling here, FWIW:

20230115

Workaround for a breaking change in OpenSSL 3: always turn
on SSL_OP_IGNORE_UNEXPECTED_EOF, to avoid warning messages
and missed opportunities for TLS session reuse. This is
safe because the SMTP protocol implements application-level
framing, and is therefore not affected by TLS truncation
attacks. Fix by Viktor Dukhovni. Files: tls/tls.h, tls_client.c,
tls/tls_server.c.

--
Viktor.

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-dev-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal