[exim] Is anyone using Exim with OpenSSL v1.1.1 or earlier ?

Fri, 31 Jan 2025 03:37:28 -0800 


Is anyone using Exim with OpenSSL v1.1.1 or earlier ?

Context: https://bugs.exim.org/show_bug.cgi?id=3131
and the mailop list message below.

(I still have a VM that can build Exim 4.98 with OpenSSL 1.O.2u
but would not dare run it in listening mode.)

Thanks,

--
Andrew C. Aitchison                      Kendal, UK
                    and...@aitchison.me.uk

---------- Forwarded message ----------

Date: Fri, 31 Jan 2025 13:21:26 +1100
From: Viktor Dukhovni via mailop <mai...@mailop.org>
To: mai...@mailop.org
Cc: Viktor Dukhovni <postmas...@dukhovni.org>

Subject: Re: [mailop] Updating DANE support in exim - was Re: SMTP TLS 
Reports

     for forged senders.


On Thu, Jan 30, 2025 at 06:38:14PM +0000, Andrew C Aitchison via mailop 
wrote:


On Mon, 18 Nov 2024, Viktor Dukhovni via mailop wrote:


Exim is after all (IIRC) still using my dated code for DANE cert
validation over OpenSSL.  Though with OpenSSL 1.0.2 long in the

rear-view mirror, this might also be a good time to switch to the 

native

OpenSSL DANE support.  If you know anyone who might be interested in
doing that, please have them get in touch if they need help.


https://bugs.exim.org/show_bug.cgi?id=3131


DANE support was added in OpenSSL 1.1.0 and has been stable since.  Both
OpenSSL 1.1.0 and 1.1.1 (LTS) have been retired.  The oldest still
supported version is 3.0.  So there should not IMHO be any concerns
about requiring at least 1.1.1 and probably 3.0 in new version of Exim.

The documentation for the native DANE support in OpenSSL is in:

     https://docs.openssl.org/3.0/man3/SSL_CTX_dane_enable/

The "EXAMPLES" section has a fairly detailed sketch of how the API might
be used.

In Postfix the code in question can be found at:


https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L1076-L1169


https://github.com/vdukhovni/postfix/blob/master/postfix/src/tls/tls_client.c#L574-L597

[ Much of that is recently added code to support TLSRPT. ]

--------------------------------------------------------------

--
Andrew C. Aitchison                      Kendal, UK
                    and...@aitchison.me.uk




--
## subscription configuration (requires account):
##   https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
##   exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/






















					Reply via email to