OCSP/SNI: set correct callback.

Caught by Jeremy; was wrong in (my) original commit, the dual-TLS work
had just renamed the variables and theoretically made it more visible.
I still missed it.

The server_sni context initialisation was setting the OCSP status
callback context parameter back on the original server_ctx instead of
the new server_sni context.

I guess OCSP and SNI aren't being used together in Exim much yet.

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9ed827f49a13744c415f6599b285d31c92223d76..bf8141351360d420e51c99178ac2ef0480f533c9 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -143,6 +143,11 @@ GF/01 DCC debug and logging tidyup
 
 TF/03 Avoid unnecessary rebuilds of lookup-related code.
 
 
 TF/03 Avoid unnecessary rebuilds of lookup-related code.
 

+PP/14 Fix OCSP reinitialisation in SNI handling for Exim/TLS as server.
+      Bug spotted by Jeremy Harris; was flawed since initial commit.
+      Would have resulted in OCSP responses post-SNI triggering an Exim
+      NULL dereference and crash.
+

 
 Exim version 4.80.1
 -------------------
 
 Exim version 4.80.1
 -------------------

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 08b92bae56f9e3023ed88f804a71d4a97704b6a0..44099358571305d630273530cf2f3cd135423f5f 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -689,7 +689,7 @@ if (cbinfo->server_cipher_list)
 if (cbinfo->ocsp_file)
   {
   SSL_CTX_set_tlsext_status_cb(server_sni, tls_stapling_cb);
 if (cbinfo->ocsp_file)
   {
   SSL_CTX_set_tlsext_status_cb(server_sni, tls_stapling_cb);

-  SSL_CTX_set_tlsext_status_arg(server_ctx, cbinfo);
+  SSL_CTX_set_tlsext_status_arg(server_sni, cbinfo);

   }
 #endif
 
   }
 #endif