summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2022-10-04 13:20:29 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2022-10-04 13:24:35 +0100
commit96751ae76e6c6db435f5a4f141511d6f973b6583 (patch)
treea28e76afda4822ecec068ad65c8b438ebd698d28
parentece23f05d6a430a461a75639197271c23f6858ec (diff)
OpenSSL: fix configuration of older TLS protocol versions
-rw-r--r--doc/doc-txt/ChangeLog4
-rw-r--r--src/src/tls-openssl.c13
-rw-r--r--test/confs/11904
l---------test/confs/20911
-rw-r--r--test/log/11901
-rw-r--r--test/log/20913
-rw-r--r--test/scripts/1190-TLS-ALPN/119026
-rw-r--r--test/scripts/2090-GnuTLS-ALPN/209119
-rw-r--r--test/stdout/209121
9 files changed, 45 insertions, 47 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a662540fe..9d7d02d0e 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -43,6 +43,10 @@ JH/09 Fix ${filter } for conditions that modify $value. Previously the
JH/10 GnuTLS: fix for (IOT?) clients offering no TLS extensions at all.
Find and fix by Jasen Betts.
+JH/11 OpenSSL: fix for ancient clients needing TLS support for versions earlier
+ than TLSv1,2, Previously, more-recent versions of OpenSSL were permitting
+ the systemwide configuration to override the Exim config.
+
Exim version 4.96
-----------------
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 0129fb93e..9ddb16fc4 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2210,7 +2210,9 @@ already exists. Might even need this selfsame callback, for reneg? */
SSL_CTX * ctx = state_server.lib_state.lib_ctx;
SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(ctx));
SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(ctx));
+ SSL_CTX_set_min_proto_version(server_sni, SSL3_VERSION);
SSL_CTX_set_options(server_sni, SSL_CTX_get_options(ctx));
+ SSL_CTX_clear_options(server_sni, ~SSL_CTX_get_options(ctx));
SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(ctx));
SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
SSL_CTX_set_tlsext_servername_arg(server_sni, state);
@@ -2726,10 +2728,15 @@ if (init_options)
}
#endif
- DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
- if (!(SSL_CTX_set_options(ctx, init_options)))
- return tls_error(string_sprintf(
+ SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
+ DEBUG(D_tls) debug_printf("setting SSL CTX options: %016lx\n", init_options);
+ SSL_CTX_set_options(ctx, init_options);
+ {
+ ulong readback = SSL_CTX_clear_options(ctx, ~init_options);
+ if (readback != init_options)
+ return tls_error(string_sprintf(
"SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
+ }
}
else
DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
diff --git a/test/confs/1190 b/test/confs/1190
index c65bf5b0c..d368004e9 100644
--- a/test/confs/1190
+++ b/test/confs/1190
@@ -24,6 +24,10 @@ tls_alpn = STRICT
hosts_require_alpn = *
.endif
+.ifdef _HAVE_OPENSSL
+tls_require_ciphers = ALL:@SECLEVEL=0
+openssl_options = -no_sslv3 -no_tlsv1_1 -no_tlsv1
+.endif
# ------ ACL ------
diff --git a/test/confs/2091 b/test/confs/2091
deleted file mode 120000
index 9aba31b86..000000000
--- a/test/confs/2091
+++ /dev/null
@@ -1 +0,0 @@
-2090 \ No newline at end of file
diff --git a/test/log/1190 b/test/log/1190
index bbef54bd6..53c56f59a 100644
--- a/test/log/1190
+++ b/test/log/1190
@@ -31,6 +31,7 @@
1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <e@test.ex> R=server
1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
+1999-03-02 09:44:33 TLS error on connection from (IOTtester) [127.0.0.1] (tls lib accept fn): TCP connection closed by peer
1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <f@test.ex> R=server
diff --git a/test/log/2091 b/test/log/2091
deleted file mode 100644
index 61b05e67f..000000000
--- a/test/log/2091
+++ /dev/null
@@ -1,3 +0,0 @@
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
diff --git a/test/scripts/1190-TLS-ALPN/1190 b/test/scripts/1190-TLS-ALPN/1190
index 50fbb7aeb..bd873c391 100644
--- a/test/scripts/1190-TLS-ALPN/1190
+++ b/test/scripts/1190-TLS-ALPN/1190
@@ -24,7 +24,33 @@ exim -DCONTROL="" -odf d@test.ex
# Content-free client option is ok
exim -DCONTROL=" " -odf e@test.ex
****
+#
+# Really dumb (IOT?) client, offering no TLS extensions at all in the Client Hello
+#
+# We're feeding the TLS protocol packet in manually rather then having
+# the TLS-enabled client do it, we (currently) can only drop the TCP conn after
+# the TLS conn completes (or fails).
+# Expect the server to log "TCP connection closed by peer" for the success case;
+# something else logged counts as bad.
+#
+client 127.0.0.1 PORT_D
+??? 220
+EHLO IOTtester
+??? 250-
+??? 250-SIZE
+??? 250-8BITMIME
+??? 250-PIPELINING
+??? 250-STARTTLS
+??? 250 HELP
+STARTTLS
+??? 220
+>>> \x16\x03\x00\x00\x43\x01\x00\x00\x3f\x03\x02\xff\xff\xff\xff\x92\x3e\x99\x88\xd0\x2b\x8f\xc2\x76\xbd\xcf\x02\xcc\xb6\xfc\x39\x00\xd0\x52\x82\x8c\x65\x0c\xcd\x8c\x02\x00\x40\x00\x00\x18\x00\x33\x00\x39\x00\x45\x00\x88\x00\x16\x00\x35\x00\x84\x00\x2f\x00\x41\x00\x0a\x00\x05\x00\x04\x01\x00
+****
+millisleep 500
+#
+#
killdaemon
+millisleep 500
#
# Server can be told to ignore (bad) ALPN from client
exim -DSERVER=server -DSTRICT="" -bd -oX PORT_D
diff --git a/test/scripts/2090-GnuTLS-ALPN/2091 b/test/scripts/2090-GnuTLS-ALPN/2091
deleted file mode 100644
index de34a1a94..000000000
--- a/test/scripts/2090-GnuTLS-ALPN/2091
+++ /dev/null
@@ -1,19 +0,0 @@
-# TLS: ALPN: IOT client
-# Check server connection survives a TLS client offering no TLS extensions at all (including ALPN)
-gnutls
-exim -DSERVER=server -bd -oX PORT_D
-****
-client 127.0.0.1 PORT_D
-??? 220
-EHLO IOTtester
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-STARTTLS
-??? 250 HELP
-STARTTLS
-??? 220
->>> \x16\x03\x00\x00\x43\x01\x00\x00\x3f\x03\x02\xff\xff\xff\xff\x92\x3e\x99\x88\xd0\x2b\x8f\xc2\x76\xbd\xcf\x02\xcc\xb6\xfc\x39\x00\xd0\x52\x82\x8c\x65\x0c\xcd\x8c\x02\x00\x40\x00\x00\x18\x00\x33\x00\x39\x00\x45\x00\x88\x00\x16\x00\x35\x00\x84\x00\x2f\x00\x41\x00\x0a\x00\x05\x00\x04\x01\x00
-****
-killdaemon
diff --git a/test/stdout/2091 b/test/stdout/2091
deleted file mode 100644
index fbddb3578..000000000
--- a/test/stdout/2091
+++ /dev/null
@@ -1,21 +0,0 @@
-Connecting to 127.0.0.1 port 1225 ... connected
-??? 220
-<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
->>> EHLO IOTtester
-??? 250-
-<<< 250-myhost.test.ex Hello IOTtester [127.0.0.1]
-??? 250-SIZE
-<<< 250-SIZE 52428800
-??? 250-8BITMIME
-<<< 250-8BITMIME
-??? 250-PIPELINING
-<<< 250-PIPELINING
-??? 250-STARTTLS
-<<< 250-STARTTLS
-??? 250 HELP
-<<< 250 HELP
->>> STARTTLS
-??? 220
-<<< 220 TLS go ahead
->>> \x16\x03\x00\x00\x43\x01\x00\x00\x3f\x03\x02\xff\xff\xff\xff\x92\x3e\x99\x88\xd0\x2b\x8f\xc2\x76\xbd\xcf\x02\xcc\xb6\xfc\x39\x00\xd0\x52\x82\x8c\x65\x0c\xcd\x8c\x02\x00\x40\x00\x00\x18\x00\x33\x00\x39\x00\x45\x00\x88\x00\x16\x00\x35\x00\x84\x00\x2f\x00\x41\x00\x0a\x00\x05\x00\x04\x01\x00
-End of script