From 7a501c874f028f689c44999ab05bb0d39da46941 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 7 May 2019 22:42:18 +0100 Subject: [PATCH] GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp --- doc/doc-txt/ChangeLog | 3 +++ src/src/tls-gnu.c | 12 ++++++++---- test/log/5651 | 2 +- test/log/5730 | 8 ++++---- test/log/5890 | 32 ++++++++++++++++---------------- 5 files changed, 32 insertions(+), 25 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 59a025b2a..05f2545bc 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -91,6 +91,9 @@ JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks JH/17 OpenSSL: the default openssl_options now disables ssl_v3. +JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the + verification result was not updated unless hosts_require_ocsp applied. + Exim version 4.92 ----------------- diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index df07c536c..dc8cdab5c 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -2757,7 +2757,7 @@ if (!verify_certificate(state, errstr)) } #ifndef DISABLE_OCSP -if (require_ocsp) +if (request_ocsp) { DEBUG(D_tls) { @@ -2781,10 +2781,14 @@ if (require_ocsp) { tlsp->ocsp = OCSP_FAILED; tls_error(US"certificate status check failed", NULL, state->host, errstr); - return FALSE; + if (require_ocsp) + return FALSE; + } + else + { + DEBUG(D_tls) debug_printf("Passed OCSP checking\n"); + tlsp->ocsp = OCSP_VFIED; } - DEBUG(D_tls) debug_printf("Passed OCSP checking\n"); - tlsp->ocsp = OCSP_VFIED; } #endif diff --git a/test/log/5651 b/test/log/5651 index bdba648f2..2b2af41c9 100644 --- a/test/log/5651 +++ b/test/log/5651 @@ -16,7 +16,7 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp) +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 3 (failed) 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed diff --git a/test/log/5730 b/test/log/5730 index ad14fe47f..6582d7591 100644 --- a/test/log/5730 +++ b/test/log/5730 @@ -1,10 +1,10 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 3 (failed) 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" -1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 4 (verified) 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbB-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" @@ -26,12 +26,12 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp) +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 3 (failed) 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D -1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 1 (notresp) +1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 4 (verified) 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed diff --git a/test/log/5890 b/test/log/5890 index 17ae49497..324e5a4a7 100644 --- a/test/log/5890 +++ b/test/log/5890 @@ -4,7 +4,7 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmaX-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmaX-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmaX-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmaX-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmaX-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmaX-0005vi-00 bits 256 1999-03-02 09:44:33 10HmaX-0005vi-00 => getticket@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" @@ -15,7 +15,7 @@ 1999-03-02 09:44:33 10HmaZ-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmaZ-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmaZ-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmaZ-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmaZ-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmaZ-0005vi-00 cipher TLS1.x:ke--AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmaZ-0005vi-00 bits 256 1999-03-02 09:44:33 10HmaZ-0005vi-00 tls_out_resumption not requested or offered @@ -23,7 +23,7 @@ 1999-03-02 09:44:33 10HmaZ-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmaZ-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmaZ-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmaZ-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmaZ-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmaZ-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmaZ-0005vi-00 bits 256 1999-03-02 09:44:33 10HmaZ-0005vi-00 => resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" @@ -36,7 +36,7 @@ 1999-03-02 09:44:33 10HmbC-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbC-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmbC-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmbC-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmbC-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmbC-0005vi-00 cipher TLS1.x:ke--AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmbC-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbC-0005vi-00 => renewal@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbD-0005vi-00" @@ -47,7 +47,7 @@ 1999-03-02 09:44:33 10HmbE-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbE-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmbE-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmbE-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmbE-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmbE-0005vi-00 cipher TLS1.x:ke--AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmbE-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbE-0005vi-00 => postrenewal@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbF-0005vi-00" @@ -58,7 +58,7 @@ 1999-03-02 09:44:33 10HmbG-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbG-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmbG-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmbG-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmbG-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmbG-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmbG-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbG-0005vi-00 => timeout@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbH-0005vi-00" @@ -69,7 +69,7 @@ 1999-03-02 09:44:33 10HmbI-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbI-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmbI-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmbI-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmbI-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmbI-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmbI-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbI-0005vi-00 => notreq@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbJ-0005vi-00" @@ -80,7 +80,7 @@ 1999-03-02 09:44:33 10HmbK-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbK-0005vi-00 peer cert verified 0 1999-03-02 09:44:33 10HmbK-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmbK-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmbK-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmbK-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmbK-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbK-0005vi-00 => noverify_getticket@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no DN="CN=server1.example.com" C="250 OK id=10HmbL-0005vi-00" @@ -91,7 +91,7 @@ 1999-03-02 09:44:33 10HmbM-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbM-0005vi-00 peer cert verified 0 1999-03-02 09:44:33 10HmbM-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmbM-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmbM-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmbM-0005vi-00 cipher TLS1.x:ke--AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmbM-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbM-0005vi-00 => noverify_resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke--AES256-SHAnnn:xxx* CV=no DN="CN=server1.example.com" C="250 OK id=10HmbN-0005vi-00" @@ -102,7 +102,7 @@ 1999-03-02 09:44:33 10HmbO-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbO-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmbO-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmbO-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmbO-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmbO-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmbO-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbO-0005vi-00 => getticket@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbP-0005vi-00" @@ -113,7 +113,7 @@ 1999-03-02 09:44:33 10HmbQ-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbQ-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmbQ-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmbQ-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmbQ-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmbQ-0005vi-00 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmbQ-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbQ-0005vi-00 tls_out_resumption not requested or offered @@ -121,7 +121,7 @@ 1999-03-02 09:44:33 10HmbQ-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbQ-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmbQ-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmbQ-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmbQ-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmbQ-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmbQ-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbQ-0005vi-00 => resume@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbR-0005vi-00" @@ -134,7 +134,7 @@ 1999-03-02 09:44:33 10HmbT-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbT-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmbT-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmbT-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmbT-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmbT-0005vi-00 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmbT-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbT-0005vi-00 => renewal@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbU-0005vi-00" @@ -145,7 +145,7 @@ 1999-03-02 09:44:33 10HmbV-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbV-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmbV-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmbV-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmbV-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmbV-0005vi-00 cipher TLS1.x:ke-PSK-AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmbV-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbV-0005vi-00 => postrenewal@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-PSK-AES256-SHAnnn:xxx* CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbW-0005vi-00" @@ -156,7 +156,7 @@ 1999-03-02 09:44:33 10HmbX-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbX-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmbX-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmbX-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmbX-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmbX-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmbX-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbX-0005vi-00 => timeout@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbY-0005vi-00" @@ -167,7 +167,7 @@ 1999-03-02 09:44:33 10HmbZ-0005vi-00 peer cert subject CN=server1.example.com 1999-03-02 09:44:33 10HmbZ-0005vi-00 peer cert verified 1 1999-03-02 09:44:33 10HmbZ-0005vi-00 peer dn CN=server1.example.com -1999-03-02 09:44:33 10HmbZ-0005vi-00 ocsp 1 +1999-03-02 09:44:33 10HmbZ-0005vi-00 ocsp 4 1999-03-02 09:44:33 10HmbZ-0005vi-00 cipher TLS1.x:ke-RSA-AES256-SHAnnn:xxx 1999-03-02 09:44:33 10HmbZ-0005vi-00 bits 256 1999-03-02 09:44:33 10HmbZ-0005vi-00 => notreq@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmcA-0005vi-00" -- 2.25.1