From 012dd02e8436a8451afc4a8f69e128e257566c80 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 29 Sep 2019 15:20:31 +0100 Subject: [PATCH] OpenSSL: fix build on earlier library versions --- doc/doc-docbook/spec.xfpt | 2 +- src/src/tls-openssl.c | 9 +++++++++ test/log/5602 | 16 ++++++++++++++++ test/scripts/5600-OCSP-OpenSSL/5602 | 1 + 4 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 test/log/5602 diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 9833f19e4..273348ac8 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -17833,7 +17833,7 @@ Certificate Authority. Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later). .new -For OpenSSL, and +For OpenSSL 1.1.0 or later, and .wen for GnuTLS 3.5.6 or later the expanded value of this option can be a list of files, to match a list given for the &%tls_certificate%& option. diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 057a0e006..d165eb2c0 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -74,6 +74,7 @@ change this guard and punt the issue for a while longer. */ # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID # define EXIM_HAVE_SESSION_TICKET # define EXIM_HAVE_OPESSL_TRACE +# define EXIM_HAVE_OPESSL_GET0_SERIAL # else # define EXIM_NEED_OPENSSL_INIT # endif @@ -1714,6 +1715,7 @@ tls_in.ocsp = OCSP_NOT_RESP; if (!olist) return SSL_TLSEXT_ERR_NOACK; +#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL { const X509 * cert_sent = SSL_get_certificate(s); const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent); @@ -1761,6 +1763,13 @@ if (!olist) return SSL_TLSEXT_ERR_NOACK; } } +#else +if (olist->next) + { + DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n"); + return SSL_TLSEXT_ERR_NOACK; + } +#endif /*XXX could we do the i2d earlier, rather than during the callback? */ response_der = NULL; diff --git a/test/log/5602 b/test/log/5602 new file mode 100644 index 000000000..95a283edd --- /dev/null +++ b/test/log/5602 @@ -0,0 +1,16 @@ +1999-03-02 09:44:33 1: Server sends good staple on request, to client requiring RSA auth +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" +1999-03-02 09:44:33 10HmaX-0005vi-00 Completed +1999-03-02 09:44:33 2: Server sends good staple on request, to client preferring ECDSA auth +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss +1999-03-02 09:44:33 10HmaZ-0005vi-00 => ecdsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example_ec.com" C="250 OK id=10HmbA-0005vi-00" +1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified) +1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified) +1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com diff --git a/test/scripts/5600-OCSP-OpenSSL/5602 b/test/scripts/5600-OCSP-OpenSSL/5602 index 07fda294c..02c27ce44 100644 --- a/test/scripts/5600-OCSP-OpenSSL/5602 +++ b/test/scripts/5600-OCSP-OpenSSL/5602 @@ -1,4 +1,5 @@ # OCSP stapling, server, multiple leaf-certs +# This will fail on OpenSSL versions before 1.1.0 # # # -- 2.25.1