cbinfo->privatekey = privatekey;
#ifdef EXPERIMENTAL_OCSP
cbinfo->ocsp_file = ocsp_file;
+cbinfo->ocsp_file_expanded = NULL;
+cbinfo->ocsp_response = NULL;
#endif
cbinfo->dhparam = dhparam;
cbinfo->host = host;
if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
return DEFER;
-if (expcerts != NULL)
+if (expcerts != NULL && *expcerts != '\0')
{
struct stat statbuf;
if (!SSL_CTX_set_default_verify_paths(sctx))
#else
DEBUG(D_tls)
debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
- tls_sni);
+ tls_out.sni);
#endif
}
}
{
unsigned int r;
int i, needed_len;
+static pid_t pidlast = 0;
+pid_t pidnow;
uschar *p;
uschar smallbuf[sizeof(r)];
if (max <= 1)
return 0;
+pidnow = getpid();
+if (pidnow != pidlast)
+ {
+ /* Although OpenSSL documents that "OpenSSL makes sure that the PRNG state
+ is unique for each thread", this doesn't apparently apply across processes,
+ so our own warning from vaguely_random_number_fallback() applies here too.
+ Fix per PostgreSQL. */
+ if (pidlast != 0)
+ RAND_cleanup();
+ pidlast = pidnow;
+ }
+
/* OpenSSL auto-seeds from /dev/random, etc, but this a double-check. */
if (!RAND_status())
{