summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2018-06-14 21:28:19 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2018-06-14 21:34:05 +0100
commit7a8b95190c22a8176c583985a41beb3e9ae831cd (patch)
tree48a3acabbeb3bbbedbaf1fe05df65fe3006afac1
parent61e3f250a2ac9944f9dd1a99bd60d859c995cc9a (diff)
OpenSSL: enable use of TLS 1.3 (with OpenSSL 1.1.0 and later)
-rw-r--r--doc/doc-txt/ChangeLog5
-rw-r--r--src/src/tls-openssl.c28
2 files changed, 24 insertions, 9 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 3ebc92531..5303b2d50 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -61,6 +61,11 @@ JH/11 Bug 2264: Exim now only follows CNAME chains one step by default. We'd
JH/12 Add client-ip info to non-pass iprev ${authres } lines.
+JH/13 For receent Openssl versions (1.1 onward) use modern generic protocol
+ methods. These should support TLS 1.3; they arrived with TLS 1.3 and the
+ now-deprecated earlier definitions used only specified the range up to TLS
+ 1.2 (in the older-version library docs).
+
Exim version 4.91
-----------------
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index db48c9451..7e6524dbd 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -70,6 +70,7 @@ functions from the OpenSSL library. */
# if OPENSSL_VERSION_NUMBER >= 0x010100000L
# define EXIM_HAVE_OPENSSL_CHECKHOST
# define EXIM_HAVE_OPENSSL_DH_BITS
+# define EXIM_HAVE_OPENSSL_TLS_METHOD
# endif
# if OPENSSL_VERSION_NUMBER >= 0x010000000L \
&& (OPENSSL_VERSION_NUMBER & 0x0000ff000L) >= 0x000002000L
@@ -1216,7 +1217,11 @@ if (!reexpand_tls_files_for_sni)
not confident that memcpy wouldn't break some internal reference counting.
Especially since there's a references struct member, which would be off. */
+#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
+if (!(server_sni = SSL_CTX_new(TLS_server_method())))
+#else
if (!(server_sni = SSL_CTX_new(SSLv23_server_method())))
+#endif
{
ERR_error_string(ERR_get_error(), ssl_errstring);
DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring);
@@ -1545,7 +1550,11 @@ when OpenSSL is built without SSLv2 support.
By disabling with openssl_options, we can let admins re-enable with the
existing knob. */
+#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
+if (!(ctx = SSL_CTX_new(host ? TLS_client_method() : TLS_server_method())))
+#else
if (!(ctx = SSL_CTX_new(host ? SSLv23_client_method() : SSLv23_server_method())))
+#endif
return tls_error(US"SSL_CTX_new", host, NULL, errstr);
/* It turns out that we need to seed the random number generator this early in
@@ -1635,7 +1644,7 @@ if ((rc = tls_expand_session_files(ctx, cbinfo, errstr)) != OK)
}
# endif
-if (host == NULL) /* server */
+if (!host) /* server */
{
# ifndef DISABLE_OCSP
/* We check u_ocsp.server.file, not server.response, because we care about if
@@ -1704,15 +1713,13 @@ Returns: nothing
static void
construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
{
-/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
+/* With OpenSSL 1.0.0a, 'c' needs to be const but the documentation doesn't
yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
the accessor functions use const in the prototype. */
-const SSL_CIPHER *c;
-const uschar *ver;
-ver = (const uschar *)SSL_get_version(ssl);
+const uschar * ver = CUS SSL_get_version(ssl);
+const SSL_CIPHER * c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
-c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
SSL_CIPHER_get_bits(c, bits);
string_format(cipherbuf, bsize, "%s:%s:%u", ver,
@@ -2360,7 +2367,7 @@ else
client_static_cbinfo, errstr)) != OK)
return rc;
-if ((client_ssl = SSL_new(client_ctx)) == NULL)
+if (!(client_ssl = SSL_new(client_ctx)))
return tls_error(US"SSL_new", host, NULL, errstr);
SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
SSL_set_fd(client_ssl, fd);
@@ -2847,8 +2854,11 @@ while (*s != 0) { if (*s == '_') *s = '-'; s++; }
err = NULL;
-ctx = SSL_CTX_new(SSLv23_server_method());
-if (!ctx)
+#ifdef EXIM_HAVE_OPENSSL_TLS_METHOD
+if (!(ctx = SSL_CTX_new(TLS_server_method())))
+#else
+if (!(ctx = SSL_CTX_new(SSLv23_server_method())))
+#endif
{
ERR_error_string(ERR_get_error(), ssl_errstring);
return string_sprintf("SSL_CTX_new() failed: %s", ssl_errstring);