diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-05-02 21:01:43 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2019-05-02 21:01:43 +0100 |
| commit | 43e2db44c657b07340368eae5dd05e51eab829fb (patch) | |
| tree | d0636efe2a6478cfdbd9da584d02bc5dbbc4f845 | |
| parent | e570d1363603ca4a58401008541408d74cd0ce40 (diff) | |
TLS: library version build-time checks for resumption support
| -rw-r--r-- | doc/doc-txt/experimental-spec.txt | 5 | ||||
| -rw-r--r-- | src/src/tls-gnu.c | 8 | ||||
| -rw-r--r-- | src/src/tls-openssl.c | 6 |
3 files changed, 15 insertions, 4 deletions
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index a2861c4a9..feecb3375 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -953,9 +953,10 @@ Transport configurations should be checked for this. An example avoidance: TLS Session Resumption ---------------------- -TLS Session Resumption for TLS 1.2 and TLS1.3 connections can be used (defined +TLS Session Resumption for TLS 1.2 and TLS 1.3 connections can be used (defined in RFC 5077 for 1.2). The support for this can be included by building with -EXPERIMENTAL_TLS_RESUME defined. +EXPERIMENTAL_TLS_RESUME defined. This requires GnuTLS 3.6.3 or OpenSSL 1.1.1 +(or later). Session resumption (this is the "stateless" variant) involves the server sending a "session ticket" to the client on one connection, which can be stored by the diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 03002c704..085f6b840 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -89,6 +89,12 @@ require current GnuTLS, then we'll drop support for the ancient libraries). # endif #endif +#ifdef EXPERIMENTAL_TLS_RESUME +# if GNUTLS_VERSION_NUMBER < 0x030603 +# error GNUTLS version too early for session-resumption +# endif +#endif + #ifndef DISABLE_OCSP # include <gnutls/ocsp.h> #endif @@ -2475,7 +2481,6 @@ but this flag is not set until the second. TLS 1.3 it's the other way about. Keep both calls as the session data cannot be extracted before handshake completes. */ -#ifdef GNUTLS_SFLAGS_SESSION_TICKET if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET) { gnutls_datum_t tkt; @@ -2510,7 +2515,6 @@ if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET) else DEBUG(D_tls) debug_printf("extract session data: %s\n", US gnutls_strerror(rc)); } -#endif } diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index e47df7cb2..824212dbc 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -108,6 +108,12 @@ change this guard and punt the issue for a while longer. */ # define DISABLE_OCSP #endif +#ifdef EXPERIMENTAL_TLS_RESUME +# if OPENSSL_VERSION_NUMBER < 0x0101010L +# error OpenSSL version too old for session-resumption +# endif +#endif + #ifdef EXIM_HAVE_OPENSSL_CHECKHOST # include <openssl/x509v3.h> #endif |