X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Fsrc%2Ftls-openssl.c;h=18cb787a5a6addd64540a954b3e40cee255da27c;hb=de6135a0cbbeb4fbae7233a40563a241de1c237b;hp=d879f08736e4a19f5a9671978b0048bdefbfe611;hpb=02d9264f4274f50039bfbcc4a51e2d9684625efd;p=exim.git

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index d879f0873..18cb787a5 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1008,7 +1008,7 @@ uschar *expcerts, *expcrl;
 if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
   return DEFER;
 
-if (expcerts != NULL)
+if (expcerts != NULL && *expcerts != '\0')
   {
   struct stat statbuf;
   if (!SSL_CTX_set_default_verify_paths(sctx))
@@ -1753,12 +1753,26 @@ vaguely_random_number(int max)
 {
 unsigned int r;
 int i, needed_len;
+static pid_t pidlast = 0;
+pid_t pidnow;
 uschar *p;
 uschar smallbuf[sizeof(r)];
 
 if (max <= 1)
   return 0;
 
+pidnow = getpid();
+if (pidnow != pidlast)
+  {
+  /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
+  is unique for each thread", this doesn't apparently apply across processes,
+  so our own warning from vaguely_random_number_fallback() applies here too.
+  Fix per PostgreSQL. */
+  if (pidlast != 0)
+    RAND_cleanup();
+  pidlast = pidnow;
+  }
+
 /* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
 if (!RAND_status())
   {