OpenSSL: discard expired resumption session in client
authorJeremy Harris <jgh146exb@wizmail.org>
Mon, 6 May 2019 11:28:14 +0000 (12:28 +0100)
committerJeremy Harris <jgh146exb@wizmail.org>
Tue, 7 May 2019 21:45:51 +0000 (22:45 +0100)
doc/doc-txt/experimental-spec.txt
src/src/tls-openssl.c
test/log/5891

index aa7046e..f304cf4 100644 (file)
@@ -1004,7 +1004,8 @@ Issues:
     will be true, when verify failed but tls_try_verify_hosts allowed the
     connection (under OpenSSL)
   $tls_{in,out}_cipher will have values different to the original (under GnuTLS)
-  $tls_{in,out}_ocsp will be "not requested" or "no response"
+  $tls_{in,out}_ocsp will be "not requested" or "no response", and
+  hosts_require_ocsp will fail
 
 
 --------------------------------------------------------------
index ee52b7c..df88435 100644 (file)
@@ -2731,6 +2731,12 @@ if (tlsp->host_resumable)
          debug_printf("decoding session: %s\n", ssl_errstring);
          }
        }
+      else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
+              < time(NULL))
+       {
+       DEBUG(D_tls) debug_printf("session expired\n");
+       dbfn_delete(dbm_file, key);
+       }
       else if (!SSL_set_session(ssl, ss))
        {
        DEBUG(D_tls)
index 6edba3c..56c00dd 100644 (file)
@@ -53,7 +53,7 @@
 1999-03-02 09:44:33 10HmbE-0005vi-00 => postrenewal@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbF-0005vi-00"
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for timeout@test.ex
-1999-03-02 09:44:33 10HmbG-0005vi-00 tls_out_resumption client offered session, server only provided new ticket
+1999-03-02 09:44:33 10HmbG-0005vi-00 tls_out_resumption client requested new ticket, server provided
 1999-03-02 09:44:33 10HmbG-0005vi-00 our cert subject  
 1999-03-02 09:44:33 10HmbG-0005vi-00 peer cert subject CN=Phil Pennock,OU=Test Suite,O=The Exim Maintainers,C=UK
 1999-03-02 09:44:33 10HmbG-0005vi-00 peer cert verified        1
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbE-0005vi-00@myhost.test.ex for postrenewal@test.ex
 1999-03-02 09:44:33 10HmbF-0005vi-00 => :blackhole: <postrenewal@test.ex> R=server
 1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
-1999-03-02 09:44:33 tls_in_resumption  client offered session, server only provided new ticket
+1999-03-02 09:44:33 tls_in_resumption  client requested new ticket, server provided
 1999-03-02 09:44:33 our cert subject   CN=Phil Pennock,OU=Test Suite,O=The Exim Maintainers,C=UK
 1999-03-02 09:44:33 peer cert subject  
 1999-03-02 09:44:33 peer cert verified 0