summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2022-04-07 21:16:48 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2022-04-07 21:16:48 +0100
commitd95313eb794f13bf43af3f0cbcc31491a5091fd2 (patch)
tree283791f3afd7c3e899e773c1757ae0a848e9dee4
parent6259ba7148cd408d4704850c206dfc2248d2d1cc (diff)
Openssl client: ocsp stapling on resumed seesion
-rw-r--r--doc/doc-txt/ChangeLog5
-rw-r--r--src/src/tls-openssl.c25
2 files changed, 18 insertions, 12 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 3b1aa2664..239731436 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -121,6 +121,11 @@ JH/27 Support the PIPECONNECT facility in the smtp transport when the helo_data
Previously any use of the local address in the EHLO name disabled
PIPECONNECT, the common case being to use the rDNS of it.
+JH/28 OpenSSL: fix transport-required OCSP stapling verification under session
+ resumption. Previously verify failed because no certificate status is
+ passed on the wire for the restarted session. Fix by using the recorded
+ ocsp status of the stored session for the new connection.
+
Exim version 4.95
-----------------
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 7bf62f504..ab3b636a3 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2417,8 +2417,12 @@ int i;
DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
if(!p)
- {
- /* Expect this when we requested ocsp but got none */
+ { /* Expect this when we requested ocsp but got none */
+ if (SSL_session_reused(s) && tls_out.ocsp == OCSP_VFIED)
+ {
+ DEBUG(D_tls) debug_printf(" null, but resumed; ocsp vfy stored with session is good\n");
+ return 1;
+ }
if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
log_write(0, LOG_MAIN, "Required TLS certificate status not received");
else
@@ -3658,22 +3662,19 @@ if (tlsp->host_resumable)
DEBUG(D_tls) debug_printf("session expired\n");
dbfn_delete(dbm_file, key);
}
- else if (!SSL_set_session(ssl, ss))
- {
- DEBUG(D_tls)
- {
- ERR_error_string_n(ERR_get_error(),
- ssl_errstring, sizeof(ssl_errstring));
- debug_printf("applying session to ssl: %s\n", ssl_errstring);
- }
- }
- else
+ else if (SSL_set_session(ssl, ss))
{
DEBUG(D_tls) debug_printf("good session\n");
tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
tlsp->verify_override = dt->verify_override;
tlsp->ocsp = dt->ocsp;
}
+ else DEBUG(D_tls)
+ {
+ ERR_error_string_n(ERR_get_error(),
+ ssl_errstring, sizeof(ssl_errstring));
+ debug_printf("applying session to ssl: %s\n", ssl_errstring);
+ }
}
}
else