SNI handling.
Separately we might try to replace using OCSP_basic_verify() - which seems to not
-be a public interface into the OpenSSL library (there's no manual entry) -
+be a public interface into the OpenSSL library (there's no manual entry) -
But what with? We also use OCSP_basic_verify in the client stapling callback.
And there we NEED it; we must verify that status... unless the
library does it for us anyway? */
else
DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
-/* Disable session cache unconditionally */
-
+/* We'd like to disable session cache unconditionally, but foolish Outlook
+Express clients then give up the first TLS connection and make a second one
+(which works). Only when there is an IMAP service on the same machine.
+Presumably OE is trying to use the cache for A on B. Leave it enabled for
+now, until we work out a decent way of presenting control to the config. It
+will never be used because we use a new context every time. */
+#ifdef notdef
(void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+#endif
/* Initialize with DH parameters if supplied */
/* Initialize ECDH temp key parameter selection */
*/
if (file)
{
- tls_ext_ctx_cb * cbinfo = host
- ? client_static_cbinfo : server_static_cbinfo;
STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
SSL_CTX_set_client_CA_list(sctx, names);
tls_out.certificate_verified = FALSE;
client_verify_callback_called = FALSE;
-if (!expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
- &expciphers, errstr))
+expciphers = NULL;
+#ifdef SUPPORT_DANE
+if (tlsa_dnsa)
+ {
+ /* We fall back to tls_require_ciphers if unset, empty or forced failure, but
+ other failures should be treated as problems. */
+ if (ob->dane_require_tls_ciphers &&
+ !expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
+ &expciphers, errstr))
+ return FAIL;
+ if (expciphers && *expciphers == '\0')
+ expciphers = NULL;
+ }
+#endif
+if (!expciphers &&
+ !expand_check(ob->tls_require_ciphers, US"tls_require_ciphers",
+ &expciphers, errstr))
return FAIL;
/* In OpenSSL, cipher components are separated by hyphens. In GnuTLS, they
inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
MIN(ssl_xfer_buffer_size, lim));
error = SSL_get_error(server_ssl, inbytes);
-alarm(0);
+if (smtp_receive_timeout > 0) alarm(0);
+
+if (had_command_timeout) /* set by signal handler */
+ smtp_command_timeout_exit(); /* does not return */
+if (had_command_sigterm)
+ smtp_command_sigterm_exit();
+if (had_data_timeout)
+ smtp_data_timeout_exit();
+if (had_data_sigint)
+ smtp_data_sigint_exit();
/* SSL_ERROR_ZERO_RETURN appears to mean that the SSL session has been
closed down, not that the socket itself has been closed down. Revert to
if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
SSL_shutdown(server_ssl);
+#ifndef DISABLE_OCSP
sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
+ server_static_cbinfo->verify_stack = NULL;
+#endif
SSL_free(server_ssl);
SSL_CTX_free(server_ctx);
- server_static_cbinfo->verify_stack = NULL;
server_ctx = NULL;
server_ssl = NULL;
tls_in.active = -1;
}
}
+#ifndef DISABLE_OCSP
if (is_server)
{
sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
server_static_cbinfo->verify_stack = NULL;
}
+#endif
SSL_CTX_free(*ctxp);
SSL_free(*sslp);
projects / exim.git / blobdiff