TLS: Feature macros

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5ca60327e034b90c5ad1d4ba871571f14677977d..1133ddf18f813f3e8eab9a423b682175b6e05363 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -13354,6 +13354,9 @@ or a &%def%& condition.
 &*Note*&: Under versions of OpenSSL preceding 1.1.1,
 when a list of more than one
 file is used for &%tls_certificate%&, this variable is not reliable.
+.new
+The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions.
+.wen
 
 .vitem &$tls_in_peercert$&
 .vindex "&$tls_in_peercert$&"
@@ -17686,9 +17689,9 @@ separator in the usual way (&<<SECTlistsepchange>>&) to avoid confusion under IP
 &*Note*&: Under versions of OpenSSL preceding 1.1.1,
 when a list of more than one
 file is used, the &$tls_in_ourcert$& variable is unreliable.
-
-&*Note*&: OCSP stapling is not usable under OpenSSL
-when a list of more than one file is used.
+.new
+The macro "_TLS_BAD_MULTICERT_IN_OURCERT" will be defined for those versions.
+.wen
 
 If the option contains &$tls_out_sni$& and Exim is built against OpenSSL, then
 if the OpenSSL build supports TLS extensions and the TLS client sends the
@@ -17841,6 +17844,9 @@ status proof for the server's certificate, as obtained from the
 Certificate Authority.
 
 Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
+.new
+The macro "_HAVE_TLS_OCSP" will be defined for those versions.
+.wen
 
 .new
 For OpenSSL 1.1.0 or later, and
@@ -17848,6 +17854,9 @@ For OpenSSL 1.1.0 or later, and
 for GnuTLS 3.5.6 or later the expanded value of this option can be a list
 of files, to match a list given for the &%tls_certificate%& option.
 The ordering of the two lists must match.
+.new
+The macro "_HAVE_TLS_OCSP_LIST" will be defined for those versions.
+.wen
 
 .new
 The file(s) should be in DER format,

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 03e704e39e6fcf275ab68d07762004b04a3d961a..f18c244eeba90e8ddee00ff7578f61bdd5d41acb 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -74,6 +74,12 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 # define GNUTLS_AUTO_GLOBAL_INIT
 # define GNUTLS_AUTO_PKCS11_MANUAL
 #endif
+#if (GNUTLS_VERSION_NUMBER >= 0x030404) \
+  || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
+# ifndef DISABLE_OCSP
+#  define EXIM_HAVE_OCSP
+# endif
+#endif
 #if GNUTLS_VERSION_NUMBER >= 0x030500
 # define SUPPORT_GNUTLS_KEYLOG
 #endif
@@ -127,6 +133,12 @@ builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
 # ifdef EXIM_HAVE_TLS1_3
 builtin_macro_create(US"_HAVE_TLS1_3");
 # endif
+# ifdef EXIM_HAVE_OCSP
+builtin_macro_create(US"_HAVE_TLS_OCSP");
+# endif
+# ifdef SUPPORT_SRV_OCSP_STACK
+builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
+# endif
 }
 #else
 

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 1e3be6e32052a0b4bb707eb437e9acba49ec9ac8..bd9796971a5854c23322bcda4d07b7148043ed4c 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -76,6 +76,9 @@ change this guard and punt the issue for a while longer. */
 #  define EXIM_HAVE_SESSION_TICKET
 #  define EXIM_HAVE_OPESSL_TRACE
 #  define EXIM_HAVE_OPESSL_GET0_SERIAL
+#  ifndef DISABLE_OCSP
+#   define EXIM_HAVE_OCSP
+#  endif
 # else
 #  define EXIM_NEED_OPENSSL_INIT
 # endif
@@ -102,6 +105,8 @@ change this guard and punt the issue for a while longer. */
 #  define OPENSSL_HAVE_KEYLOG_CB
 #  define OPENSSL_HAVE_NUM_TICKETS
 #  define EXIM_HAVE_OPENSSL_CIPHER_STD_NAME
+# else
+#  define OPENSSL_BAD_SRVR_OURCERT
 # endif
 #endif
 
@@ -266,6 +271,13 @@ builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
 # ifdef SSL_OP_NO_TLSv1_3
 builtin_macro_create(US"_HAVE_TLS1_3");
 # endif
+# ifdef OPENSSL_BAD_SRVR_OURCERT
+builtin_macro_create(US"_TLS_BAD_MULTICERT_IN_OURCERT");
+# endif
+# ifdef EXIM_HAVE_OCSP
+builtin_macro_create(US"_HAVE_TLS_OCSP");
+builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
+# endif
 }
 #else