diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2022-04-07 21:16:48 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2022-04-07 21:16:48 +0100 |
| commit | d95313eb794f13bf43af3f0cbcc31491a5091fd2 (patch) | |
| tree | 283791f3afd7c3e899e773c1757ae0a848e9dee4 | |
| parent | 6259ba7148cd408d4704850c206dfc2248d2d1cc (diff) | |
Openssl client: ocsp stapling on resumed seesion
| -rw-r--r-- | doc/doc-txt/ChangeLog | 5 | ||||
| -rw-r--r-- | src/src/tls-openssl.c | 25 |
2 files changed, 18 insertions, 12 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 3b1aa2664..239731436 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -121,6 +121,11 @@ JH/27 Support the PIPECONNECT facility in the smtp transport when the helo_data Previously any use of the local address in the EHLO name disabled PIPECONNECT, the common case being to use the rDNS of it. +JH/28 OpenSSL: fix transport-required OCSP stapling verification under session + resumption. Previously verify failed because no certificate status is + passed on the wire for the restarted session. Fix by using the recorded + ocsp status of the stored session for the new connection. + Exim version 4.95 ----------------- diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 7bf62f504..ab3b636a3 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -2417,8 +2417,12 @@ int i; DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n"); len = SSL_get_tlsext_status_ocsp_resp(s, &p); if(!p) - { - /* Expect this when we requested ocsp but got none */ + { /* Expect this when we requested ocsp but got none */ + if (SSL_session_reused(s) && tls_out.ocsp == OCSP_VFIED) + { + DEBUG(D_tls) debug_printf(" null, but resumed; ocsp vfy stored with session is good\n"); + return 1; + } if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher)) log_write(0, LOG_MAIN, "Required TLS certificate status not received"); else @@ -3658,22 +3662,19 @@ if (tlsp->host_resumable) DEBUG(D_tls) debug_printf("session expired\n"); dbfn_delete(dbm_file, key); } - else if (!SSL_set_session(ssl, ss)) - { - DEBUG(D_tls) - { - ERR_error_string_n(ERR_get_error(), - ssl_errstring, sizeof(ssl_errstring)); - debug_printf("applying session to ssl: %s\n", ssl_errstring); - } - } - else + else if (SSL_set_session(ssl, ss)) { DEBUG(D_tls) debug_printf("good session\n"); tlsp->resumption |= RESUME_CLIENT_SUGGESTED; tlsp->verify_override = dt->verify_override; tlsp->ocsp = dt->ocsp; } + else DEBUG(D_tls) + { + ERR_error_string_n(ERR_get_error(), + ssl_errstring, sizeof(ssl_errstring)); + debug_printf("applying session to ssl: %s\n", ssl_errstring); + } } } else |