summaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
authorSergey Poznyakoff <gray@gnu.org>2017-03-18 10:07:30 +0200
committerSergey Poznyakoff <gray@gnu.org>2017-03-18 14:44:55 +0200
commitafda9ba46c7eb2c061f3907dc7e80ae1ba38157b (patch)
tree84da1baef0e14dc0e70419913d4e1a5d84e9e16e /NEWS
parent0c8e598549a7cb99b9665f37814b006765344c43 (diff)
downloadmailutils-afda9ba46c7eb2c061f3907dc7e80ae1ba38157b.tar.gz
mailutils-afda9ba46c7eb2c061f3907dc7e80ae1ba38157b.tar.bz2
Rewrite TLS support
The new implementation allows for per-server certificates. * libmu_auth/Makefile.am: Build tls support depending on the value of MU_COND_GNUTLS. * libmu_auth/notls.c: New file. * libmu_auth/tls.c: Rewrite. * libmu_auth/tlsiostr.c: New file. * libmu_auth/tlsvar.c: New file. * libmu_auth/tlsconf.c: New file. * include/mailutils/sys/tls-stream.h (_mu_tls_stream): New members: session_type, conf, cred. (mu_tls_io_stream_create): New proto. * include/mailutils/tls.h (mu_tls_module_config): Remove definition. (mu_tls_config): New structure. (mu_tls_server_stream_create): Remove proto. (mu_tls_cert_file_checks) (mu_tls_key_file_checksr) (mu_tls_ca_file_checks): New globals (MU_TLS_CERT_FILE_CHECKS) (MU_TLS_KEY_FILE_CHECKS) (MU_TLS_CA_FILE_CHECKS): New defines. (mu_tls_stream_create): New proto. (mu_tls_config_status): New constants. (mu_tls_check_config): Remove. (mu_tls_config_check): New function. * include/mailutils/server.h (mu_m_server_preflight_fp): New typedef. (mu_m_server_set_preflight): New proto. * libmailutils/diag/debcat (tls): New category. * libmailutils/server/ipsrv.c (mu_ip_server_get_data): New function. * libmailutils/server/msrv.c (_mu_m_server) <preflight>: New method. (mu_m_server_set_preflight): New function. (mu_m_server_destroy): Destroy the srvlist. (open_connection): New function. (mu_m_server_run): Remove from srvlist only those servers that failed to open. Run preflight check, if registered. * include/mailutils/cfg.h (mu_cfg_section): New member: data. * libmailutils/cfg/driver.c (dup_container): Copy the "data" pointer. (mu_cfg_section_add_params): Preserve original pointer and offset when necessary. * libmailutils/cfg/parser.y (_scan_tree_helper): Use the section data pointer (if set) as data target. * configure.ac (MU_COND_GNUTLS): New conditional. * imap4d/commands.c: Remove #ifdef WITH_TLS preprocessor conditional. * imap4d/imap4d.c (tls_mode): Remove variable. (imap4d_srv_config): Move definition to the header file. Remove #ifdef WITH_TLS preprocessor conditionals. Rename the tls configuration statement to tls-mode. Add new subsection .server.tls; Remove the legacy tls-required configuration statement. (imap4d_mainloop): Change signature: take a pointer to the struct imap4d_srv_config as the 3rd argument, Use the cfg->tls_mode member to decide on TLS state. (main): Call mu_tls_cfg_init. Install server preflight checker. * imap4d/imap4d.h: Remove #ifdef WITH_TLS preprocessor conditionals. (imap4d_srv_config): Moved from imap4d.c New member: tls_conf (imap4d_session): New member: tls_conf (global_tls_conf): New global. (io_setio, imap4d_init_tls_server): Change prototypes. * imap4d/io.c (io_setio): Change signature: take a pointer to the struct mu_tls_config as the 3rd argument. Rewrite TLS support. (imap4d_init_tls_server): Take a pointer to the struct mu_tls_config. * imap4d/starttls.c (tls_available, tls_done): Remove globals. (global_tls_conf): New global. (imap4d_starttls): Keep TLS state in the session. (tls_encryption_on): Likewise. (starttls_init): Rewrite as a mserver preflight check function. * pop3d/capa.c: Remove #ifdef WITH_TLS preprocessor conditional. (capa_stls): Rewrite. * pop3d/cmd.c (global_tls_conf): New global. (stls_preflight): New function. (pop3d_error_string): Rewrite using char ** array. * pop3d/extra.c (pop3d_setio): Take a pointer to struct mu_tls_config as the 3rd argument. Decide on TLS using it. (pop3d_init_tls_server): Take a pointer to struct mu_tls_config. * pop3d/pop3d.c: Rename the tls configuration statement to tls-mode. Add new subsection .server.tls; Remove the legacy tls-required configuration statement. (pop3d_mainloop) Take a pointer to struct mu_tls_config as the 3rd argument. Decide on TLS using it. (main): Call mu_tls_cfg_init. Install server preflight check. * pop3d/pop3d.h (pop3d_session): New member tls_conf. (pop3d_srv_config): New definition. (global_tls_conf): New extern. * pop3d/stls.c: Rewrite TLS support. * NEWS: Document new features. * configure.ac: Version 3.2.90. * doc/texinfo/programs.texi: Update.
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS73
1 files changed, 72 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 76ab20bd6..fde44651a 100644
--- a/NEWS
+++ b/NEWS
@@ -1,10 +1,81 @@
-GNU mailutils NEWS -- history of user-visible changes. 2017-03-11
+GNU mailutils NEWS -- history of user-visible changes. 2017-03-18
Copyright (C) 2002-2017 Free Software Foundation, Inc.
See the end of file for copying conditions.
Please send mailutils bug reports to <bug-mailutils@gnu.org>.
+Version 3.2.90 (Git)
+
+* TLS configuration
+
+Note the following changes to the TLS configuration:
+
+** global tls section
+
+The following statements have been renamed:
+
+ ssl-cafile renamed to ssl-ca-file
+ ssl-cert renamed to ssl-certificate-file
+ ssl-key renamed to ssl-key-file
+
+The following statements have been removed:
+
+ enable
+ key-file-safety-checks
+ cert-file-safety-checks
+ ca-file-safety-checks
+
+The functionality of the latter three is now moved to the
+tls-file-checks section.
+
+Example of a valid global tls section:
+
+ tls {
+ ssl-certificate-file /etc/ssl/cert/imap.pem;
+ ssl-key-file /etc/ssl/private/imap.key;
+ }
+
+** global tls-file-checks statement
+
+The tls-file-checks statement configures safety checks for SSL
+certificate and key files. It is a global section. Its syntax is
+as follows:
+
+ tls-file-checks {
+ key-file <arg: list>;
+ cert-file <arg: list>;
+ ca-file <arg: list>;
+ }
+
+The <arg> list is a list or sequence of check names optionally
+prefixed with '+' to enable or '-' to disable the corresponding check.
+Valid check names are the same as in previous versions.
+
+Use this statement instead of the deprecated cert-file-safety-checks,
+key-file-safety-checks, and ca-file-safety-checks.
+
+* Per-server TLS support
+
+It is now possible to configure per-server SSL certificates in POP3
+and IMAP4 servers. To do so, place a "tls" subsection within the
+corresponding "server" section. The syntax of the "tls" subsection
+is the same as for the global section described above, e.g.:
+
+ server imap.example.com:143 {
+ tls-mode required;
+ tls {
+ ssl-certificate-file /etc/ssl/cert/imap.pem;
+ ssl-key-file /etc/ssl/private/imap.key;
+ }
+ }
+
+If the "tls" section is absent, but "tls-mode" is specified and it's
+value is anything but "no", the settings from the global "tls" section
+will be used. Im this case, it is an error if the global "tls"
+section is not defined.
+
+
Version 3.2 - 2017-03-11
* configuration syntax

Return to:

Send suggestions and report system problems to the System administrator.