summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2019-09-29 15:20:31 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2019-09-29 15:26:16 +0100
commit012dd02e8436a8451afc4a8f69e128e257566c80 (patch)
tree2f01d68e66fd95a9078cb55b8d7505c862d2441a
parent5b2fd993eadb7b476e5ef14028c7db09fda6c3ae (diff)
OpenSSL: fix build on earlier library versions
-rw-r--r--doc/doc-docbook/spec.xfpt2
-rw-r--r--src/src/tls-openssl.c9
-rw-r--r--test/log/560216
-rw-r--r--test/scripts/5600-OCSP-OpenSSL/56021
4 files changed, 27 insertions, 1 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 9833f19e4..273348ac8 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -17833,7 +17833,7 @@ Certificate Authority.
Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
.new
-For OpenSSL, and
+For OpenSSL 1.1.0 or later, and
.wen
for GnuTLS 3.5.6 or later the expanded value of this option can be a list
of files, to match a list given for the &%tls_certificate%& option.
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 057a0e006..d165eb2c0 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -74,6 +74,7 @@ change this guard and punt the issue for a while longer. */
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
# define EXIM_HAVE_SESSION_TICKET
# define EXIM_HAVE_OPESSL_TRACE
+# define EXIM_HAVE_OPESSL_GET0_SERIAL
# else
# define EXIM_NEED_OPENSSL_INIT
# endif
@@ -1714,6 +1715,7 @@ tls_in.ocsp = OCSP_NOT_RESP;
if (!olist)
return SSL_TLSEXT_ERR_NOACK;
+#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
{
const X509 * cert_sent = SSL_get_certificate(s);
const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
@@ -1761,6 +1763,13 @@ if (!olist)
return SSL_TLSEXT_ERR_NOACK;
}
}
+#else
+if (olist->next)
+ {
+ DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+#endif
/*XXX could we do the i2d earlier, rather than during the callback? */
response_der = NULL;
diff --git a/test/log/5602 b/test/log/5602
new file mode 100644
index 000000000..95a283edd
--- /dev/null
+++ b/test/log/5602
@@ -0,0 +1,16 @@
+1999-03-02 09:44:33 1: Server sends good staple on request, to client requiring RSA auth
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 2: Server sends good staple on request, to client preferring ECDSA auth
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => ecdsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example_ec.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com
diff --git a/test/scripts/5600-OCSP-OpenSSL/5602 b/test/scripts/5600-OCSP-OpenSSL/5602
index 07fda294c..02c27ce44 100644
--- a/test/scripts/5600-OCSP-OpenSSL/5602
+++ b/test/scripts/5600-OCSP-OpenSSL/5602
@@ -1,4 +1,5 @@
# OCSP stapling, server, multiple leaf-certs
+# This will fail on OpenSSL versions before 1.1.0
#
#
#