This option controls, if during readonf time we do start a TLS check
in a subprocess. The option defaults to TRUE, for backward
compatibility.
No tests introduced to the testsuite, as exactly the message about
the created child process gets filtered out by the munger of runtest
.row &%tls_eccurve%& "EC curve selection for server"
.row &%tls_ocsp_file%& "location of server certificate status proof"
.row &%tls_on_connect_ports%& "specify SSMTP (SMTPS) ports"
.row &%tls_eccurve%& "EC curve selection for server"
.row &%tls_ocsp_file%& "location of server certificate status proof"
.row &%tls_on_connect_ports%& "specify SSMTP (SMTPS) ports"
+.row &%tls_pre_flight_checks%& "control TLS checks during process startup"
.row &%tls_privatekey%& "location of server private key"
.row &%tls_remember_esmtp%& "don't reset after starting TLS"
.row &%tls_require_ciphers%& "specify acceptable ciphers"
.row &%tls_privatekey%& "location of server private key"
.row &%tls_remember_esmtp%& "don't reset after starting TLS"
.row &%tls_require_ciphers%& "specify acceptable ciphers"
further details, see section &<<SECTsupobssmt>>&.
further details, see section &<<SECTsupobssmt>>&.
+.new
+.option tls_pre_flight_checks main boolean true
+.cindex TLS "pre flight checks"
+.cindex TLS "startup"
+This option controls, if, during process startup, speculative tests are
+done in a suprocess. Disabling this tests may delay TLS errors and may
+make them harder to debug. This is an advanced option. This option is
+experimental and may be removed or renamed without further notice.
+.wen
+
.option tls_privatekey main string list&!! unset
.cindex "TLS" "server private key; location of"
.option tls_privatekey main string list&!! unset
.cindex "TLS" "server private key; location of"
affect Exim's operation, with an unchanged configuration file. For new
options, and new features, see the NewStuff file next to this ChangeLog.
affect Exim's operation, with an unchanged configuration file. For new
options, and new features, see the NewStuff file next to this ChangeLog.
+Exim next version
+-----------------
+
+HS/01 Add tls_pre_flight_checks (experimental)
+
+
Exim version 4.92.2
-------------------
Exim version 4.92.2
-------------------
test from the snapshots or the Git before the documentation is updated. Once
the documentation is updated, this file is reduced to a short list.
test from the snapshots or the Git before the documentation is updated. Once
the documentation is updated, this file is reduced to a short list.
+Version 4.92++
+--------------
+
+ x. New main config option tls_pre_flight_checks
+
+
Version 4.92
--------------
Version 4.92
--------------
+BOOL tls_pre_flight_checks = TRUE; /* do the TLS checks at readconf time */
+
uschar *dsn_envid = NULL;
int dsn_ret = 0;
const pcre *regex_DSN = NULL;
uschar *dsn_envid = NULL;
int dsn_ret = 0;
const pcre *regex_DSN = NULL;
} tls_support;
extern tls_support tls_in;
extern tls_support tls_out;
} tls_support;
extern tls_support tls_in;
extern tls_support tls_out;
+extern BOOL tls_pre_flight_checks; /* do the TLS checks at readconf time */
#ifdef SUPPORT_TLS
extern BOOL gnutls_compat_mode; /* Less security, more compatibility */
#ifdef SUPPORT_TLS
extern BOOL gnutls_compat_mode; /* Less security, more compatibility */
{ "tls_ocsp_file", opt_stringptr, &tls_ocsp_file },
# endif
{ "tls_on_connect_ports", opt_stringptr, &tls_in.on_connect_ports },
{ "tls_ocsp_file", opt_stringptr, &tls_ocsp_file },
# endif
{ "tls_on_connect_ports", opt_stringptr, &tls_in.on_connect_ports },
+ { "tls_pre_flight_checks", opt_bool, &tls_pre_flight_checks },
{ "tls_privatekey", opt_stringptr, &tls_privatekey },
{ "tls_remember_esmtp", opt_bool, &tls_remember_esmtp },
{ "tls_require_ciphers", opt_stringptr, &tls_require_ciphers },
{ "tls_privatekey", opt_stringptr, &tls_privatekey },
{ "tls_remember_esmtp", opt_bool, &tls_remember_esmtp },
{ "tls_require_ciphers", opt_stringptr, &tls_require_ciphers },
/* This also checks that the library linkage is working and we can call
routines in it, so call even if tls_require_ciphers is unset */
/* This also checks that the library linkage is working and we can call
routines in it, so call even if tls_require_ciphers is unset */
-if (!tls_dropprivs_validate_require_cipher(nowarn))
+if (tls_pre_flight_checks && !tls_dropprivs_validate_require_cipher(nowarn))
exit(1);
/* Magic number: at time of writing, 1024 has been the long-standing value
exit(1);
/* Magic number: at time of writing, 1024 has been the long-standing value