# define EXIM_HAVE_OPENSSL_CHECKHOST
# define EXIM_HAVE_OPENSSL_DH_BITS
# define EXIM_HAVE_OPENSSL_TLS_METHOD
+# define EXIM_HAVE_OPENSSL_KEYLOG
# else
# define EXIM_NEED_OPENSSL_INIT
# endif
# endif
#endif
+#ifndef LIBRESSL_VERSION_NUMBER
+# if OPENSSL_VERSION_NUMBER >= 0x010101000L
+# define OPENSSL_HAVE_KEYLOG_CB
+# define OPENSSL_HAVE_NUM_TICKETS
+# endif
+#endif
+
#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP)
# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
# define DISABLE_OCSP
}
}
+#ifdef OPENSSL_HAVE_KEYLOG_CB
+static void
+keylog_callback(const SSL *ssl, const char *line)
+{
+DEBUG(D_tls) debug_printf("%.200s\n", line);
+}
+#endif
+
/*************************************************
level. */
DEBUG(D_tls) SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
+#ifdef OPENSSL_HAVE_KEYLOG_CB
+DEBUG(D_tls) SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
+#endif
/* Automatically re-try reads/writes after renegotiation. */
(void) SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
else
DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
+#ifdef OPENSSL_HAVE_NUM_TICKETS
+SSL_CTX_set_num_tickets(ctx, 0); /* send no TLS1.3 stateful-tickets */
+#endif
+
/* We'd like to disable session cache unconditionally, but foolish Outlook
Express clients then give up the first TLS connection and make a second one
(which works). Only when there is an IMAP service on the same machine.
peer_cert(server_ssl, &tls_in, peerdn, sizeof(peerdn));
-construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
-tls_in.cipher = cipherbuf;
-
DEBUG(D_tls)
{
uschar buf[2048];
if (SSL_get_shared_ciphers(server_ssl, CS buf, sizeof(buf)) != NULL)
debug_printf("Shared ciphers: %s\n", buf);
+
+#ifdef EXIM_HAVE_OPENSSL_KEYLOG
+ {
+ BIO * bp = BIO_new(BIO_s_mem());
+ uschar * s;
+ int len;
+ SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
+ len = (int) BIO_get_mem_data(bp, CSS &s);
+ debug_printf("%.*s", len, s);
+ BIO_free(bp);
}
+#endif
+ }
+
+construct_cipher_name(server_ssl, cipherbuf, sizeof(cipherbuf), &tls_in.bits);
+tls_in.cipher = cipherbuf;
/* Record the certificate we presented */
{
return NULL;
}
-DEBUG(D_tls) debug_printf("SSL_connect succeeded\n");
+DEBUG(D_tls)
+ {
+ debug_printf("SSL_connect succeeded\n");
+#ifdef EXIM_HAVE_OPENSSL_KEYLOG
+ {
+ BIO * bp = BIO_new(BIO_s_mem());
+ uschar * s;
+ int len;
+ SSL_SESSION_print_keylog(bp, SSL_get_session(server_ssl));
+ len = (int) BIO_get_mem_data(bp, CSS &s);
+ debug_printf("%.*s", len, s);
+ BIO_free(bp);
+ }
+#endif
+ }
peer_cert(exim_client_ctx->ssl, tlsp, peerdn, sizeof(peerdn));