diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2022-10-04 13:20:29 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2022-10-04 13:24:35 +0100 |
commit | 96751ae76e6c6db435f5a4f141511d6f973b6583 (patch) | |
tree | a28e76afda4822ecec068ad65c8b438ebd698d28 | |
parent | ece23f05d6a430a461a75639197271c23f6858ec (diff) |
OpenSSL: fix configuration of older TLS protocol versions
-rw-r--r-- | doc/doc-txt/ChangeLog | 4 | ||||
-rw-r--r-- | src/src/tls-openssl.c | 13 | ||||
-rw-r--r-- | test/confs/1190 | 4 | ||||
l--------- | test/confs/2091 | 1 | ||||
-rw-r--r-- | test/log/1190 | 1 | ||||
-rw-r--r-- | test/log/2091 | 3 | ||||
-rw-r--r-- | test/scripts/1190-TLS-ALPN/1190 | 26 | ||||
-rw-r--r-- | test/scripts/2090-GnuTLS-ALPN/2091 | 19 | ||||
-rw-r--r-- | test/stdout/2091 | 21 |
9 files changed, 45 insertions, 47 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index a662540fe..9d7d02d0e 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -43,6 +43,10 @@ JH/09 Fix ${filter } for conditions that modify $value. Previously the JH/10 GnuTLS: fix for (IOT?) clients offering no TLS extensions at all. Find and fix by Jasen Betts. +JH/11 OpenSSL: fix for ancient clients needing TLS support for versions earlier + than TLSv1,2, Previously, more-recent versions of OpenSSL were permitting + the systemwide configuration to override the Exim config. + Exim version 4.96 ----------------- diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 0129fb93e..9ddb16fc4 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -2210,7 +2210,9 @@ already exists. Might even need this selfsame callback, for reneg? */ SSL_CTX * ctx = state_server.lib_state.lib_ctx; SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(ctx)); SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(ctx)); + SSL_CTX_set_min_proto_version(server_sni, SSL3_VERSION); SSL_CTX_set_options(server_sni, SSL_CTX_get_options(ctx)); + SSL_CTX_clear_options(server_sni, ~SSL_CTX_get_options(ctx)); SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(ctx)); SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb); SSL_CTX_set_tlsext_servername_arg(server_sni, state); @@ -2726,10 +2728,15 @@ if (init_options) } #endif - DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options); - if (!(SSL_CTX_set_options(ctx, init_options))) - return tls_error(string_sprintf( + SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); + DEBUG(D_tls) debug_printf("setting SSL CTX options: %016lx\n", init_options); + SSL_CTX_set_options(ctx, init_options); + { + ulong readback = SSL_CTX_clear_options(ctx, ~init_options); + if (readback != init_options) + return tls_error(string_sprintf( "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr); + } } else DEBUG(D_tls) debug_printf("no SSL CTX options to set\n"); diff --git a/test/confs/1190 b/test/confs/1190 index c65bf5b0c..d368004e9 100644 --- a/test/confs/1190 +++ b/test/confs/1190 @@ -24,6 +24,10 @@ tls_alpn = STRICT hosts_require_alpn = * .endif +.ifdef _HAVE_OPENSSL +tls_require_ciphers = ALL:@SECLEVEL=0 +openssl_options = -no_sslv3 -no_tlsv1_1 -no_tlsv1 +.endif # ------ ACL ------ diff --git a/test/confs/2091 b/test/confs/2091 deleted file mode 120000 index 9aba31b86..000000000 --- a/test/confs/2091 +++ /dev/null @@ -1 +0,0 @@ -2090
\ No newline at end of file diff --git a/test/log/1190 b/test/log/1190 index bbef54bd6..53c56f59a 100644 --- a/test/log/1190 +++ b/test/log/1190 @@ -31,6 +31,7 @@ 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex 1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <e@test.ex> R=server 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed +1999-03-02 09:44:33 TLS error on connection from (IOTtester) [127.0.0.1] (tls lib accept fn): TCP connection closed by peer 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex 1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <f@test.ex> R=server diff --git a/test/log/2091 b/test/log/2091 deleted file mode 100644 index 61b05e67f..000000000 --- a/test/log/2091 +++ /dev/null @@ -1,3 +0,0 @@ - -******** SERVER ******** -1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D diff --git a/test/scripts/1190-TLS-ALPN/1190 b/test/scripts/1190-TLS-ALPN/1190 index 50fbb7aeb..bd873c391 100644 --- a/test/scripts/1190-TLS-ALPN/1190 +++ b/test/scripts/1190-TLS-ALPN/1190 @@ -24,7 +24,33 @@ exim -DCONTROL="" -odf d@test.ex # Content-free client option is ok exim -DCONTROL=" " -odf e@test.ex **** +# +# Really dumb (IOT?) client, offering no TLS extensions at all in the Client Hello +# +# We're feeding the TLS protocol packet in manually rather then having +# the TLS-enabled client do it, we (currently) can only drop the TCP conn after +# the TLS conn completes (or fails). +# Expect the server to log "TCP connection closed by peer" for the success case; +# something else logged counts as bad. +# +client 127.0.0.1 PORT_D +??? 220 +EHLO IOTtester +??? 250- +??? 250-SIZE +??? 250-8BITMIME +??? 250-PIPELINING +??? 250-STARTTLS +??? 250 HELP +STARTTLS +??? 220 +>>> \x16\x03\x00\x00\x43\x01\x00\x00\x3f\x03\x02\xff\xff\xff\xff\x92\x3e\x99\x88\xd0\x2b\x8f\xc2\x76\xbd\xcf\x02\xcc\xb6\xfc\x39\x00\xd0\x52\x82\x8c\x65\x0c\xcd\x8c\x02\x00\x40\x00\x00\x18\x00\x33\x00\x39\x00\x45\x00\x88\x00\x16\x00\x35\x00\x84\x00\x2f\x00\x41\x00\x0a\x00\x05\x00\x04\x01\x00 +**** +millisleep 500 +# +# killdaemon +millisleep 500 # # Server can be told to ignore (bad) ALPN from client exim -DSERVER=server -DSTRICT="" -bd -oX PORT_D diff --git a/test/scripts/2090-GnuTLS-ALPN/2091 b/test/scripts/2090-GnuTLS-ALPN/2091 deleted file mode 100644 index de34a1a94..000000000 --- a/test/scripts/2090-GnuTLS-ALPN/2091 +++ /dev/null @@ -1,19 +0,0 @@ -# TLS: ALPN: IOT client -# Check server connection survives a TLS client offering no TLS extensions at all (including ALPN) -gnutls -exim -DSERVER=server -bd -oX PORT_D -**** -client 127.0.0.1 PORT_D -??? 220 -EHLO IOTtester -??? 250- -??? 250-SIZE -??? 250-8BITMIME -??? 250-PIPELINING -??? 250-STARTTLS -??? 250 HELP -STARTTLS -??? 220 ->>> \x16\x03\x00\x00\x43\x01\x00\x00\x3f\x03\x02\xff\xff\xff\xff\x92\x3e\x99\x88\xd0\x2b\x8f\xc2\x76\xbd\xcf\x02\xcc\xb6\xfc\x39\x00\xd0\x52\x82\x8c\x65\x0c\xcd\x8c\x02\x00\x40\x00\x00\x18\x00\x33\x00\x39\x00\x45\x00\x88\x00\x16\x00\x35\x00\x84\x00\x2f\x00\x41\x00\x0a\x00\x05\x00\x04\x01\x00 -**** -killdaemon diff --git a/test/stdout/2091 b/test/stdout/2091 deleted file mode 100644 index fbddb3578..000000000 --- a/test/stdout/2091 +++ /dev/null @@ -1,21 +0,0 @@ -Connecting to 127.0.0.1 port 1225 ... connected -??? 220 -<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 ->>> EHLO IOTtester -??? 250- -<<< 250-myhost.test.ex Hello IOTtester [127.0.0.1] -??? 250-SIZE -<<< 250-SIZE 52428800 -??? 250-8BITMIME -<<< 250-8BITMIME -??? 250-PIPELINING -<<< 250-PIPELINING -??? 250-STARTTLS -<<< 250-STARTTLS -??? 250 HELP -<<< 250 HELP ->>> STARTTLS -??? 220 -<<< 220 TLS go ahead ->>> \x16\x03\x00\x00\x43\x01\x00\x00\x3f\x03\x02\xff\xff\xff\xff\x92\x3e\x99\x88\xd0\x2b\x8f\xc2\x76\xbd\xcf\x02\xcc\xb6\xfc\x39\x00\xd0\x52\x82\x8c\x65\x0c\xcd\x8c\x02\x00\x40\x00\x00\x18\x00\x33\x00\x39\x00\x45\x00\x88\x00\x16\x00\x35\x00\x84\x00\x2f\x00\x41\x00\x0a\x00\x05\x00\x04\x01\x00 -End of script |