Move the TLS resumption support from Experimental to mainline

author: Jeremy Harris <jgh146exb@wizmail.org> 2020-05-10 12:08:50 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2020-05-10 15:22:20 +0100
commit: 2983e1a616058c03b57f1ab32a691f8b8ff9764e (patch)
tree: 1a60bc0d87945b70f0810ffcf69d50792a16bb1c /src
parent: 7adc9ca07a9a870f92a14d16740abfecde0bdfa4 (diff)
20 files changed, 68 insertions, 57 deletions
diff --git a/src/src/EDITME b/src/src/EDITME
index cf671afd1..e198a9cc9 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -277,6 +277,9 @@ SPOOL_DIRECTORY=/var/spool/exim
 # specified in INCLUDE.
 
 
+# Uncomment the following line to remove support for TLS Resumption
+# DISABLE_TLS_RESUME=yes
+
 
 ###############################################################################
 #           THESE ARE THINGS YOU PROBABLY WANT TO SPECIFY                     #
@@ -633,9 +636,6 @@ DISABLE_MAL_MKS=yes
 # Uncomment the following line to add queuefile transport support
 # EXPERIMENTAL_QUEUEFILE=yes
 
-# Uncomment the following line to include support for TLS Resumption
-# EXPERIMENTAL_TLS_RESUME=yes
-
 ###############################################################################
 #                 THESE ARE THINGS YOU MIGHT WANT TO SPECIFY                  #
 ###############################################################################
diff --git a/src/src/auths/gsasl_exim.c b/src/src/auths/gsasl_exim.c
index a3aaf1fa6..708957f04 100644
--- a/src/src/auths/gsasl_exim.c
+++ b/src/src/auths/gsasl_exim.c
@@ -365,7 +365,7 @@ HDEBUG(D_auth)
 #ifndef DISABLE_TLS
 if (tls_in.channelbinding && ob->server_channelbinding)
   {
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
   if (!tls_in.ext_master_secret && tls_in.resumption == RESUME_USED)
     {		/* per RFC 7677 section 4 */
     HDEBUG(D_auth) debug_printf(
@@ -814,7 +814,7 @@ HDEBUG(D_auth)
 #ifndef DISABLE_TLS
 if (tls_out.channelbinding && ob->client_channelbinding)
   {
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
   if (!tls_out.ext_master_secret && tls_out.resumption == RESUME_USED)
     {		/* per RFC 7677 section 4 */
     string_format(buffer, buffsize, "%s",
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index a91c3c3aa..1a1091f9c 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -54,6 +54,7 @@ Do not put spaces between # and the 'define'.
 #define DISABLE_PRDR
 #define DISABLE_QUEUE_RAMP
 #define DISABLE_TLS
+#define DISABLE_TLS_RESUME
 #define DISABLE_D_OPTION
 
 #define ENABLE_DISABLE_FSYNC
@@ -206,7 +207,6 @@ Do not put spaces between # and the 'define'.
 #define EXPERIMENTAL_LMDB
 #define EXPERIMENTAL_QUEUEFILE
 #define EXPERIMENTAL_SRS_ALT
-#define EXPERIMENTAL_TLS_RESUME
 
 
 /* For developers */
diff --git a/src/src/configure.default b/src/src/configure.default
index b758c8950..57af99c14 100644
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -169,7 +169,14 @@ acl_smtp_data =         acl_check_data
 # tls_privatekey = /etc/ssl/exim.pem
 
 # For OpenSSL, prefer EC- over RSA-authenticated ciphers
-# tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+.ifdef _HAVE_OPENSSL
+tls_require_ciphers = ECDSA:RSA:!COMPLEMENTOFDEFAULT
+.endif
+
+# Don't offer resumption to (most) MUAs, who we don't want to reuse
+# tickets.  Once the TLS extension for vended ticket numbers comes
+# though, re-examine since resumption on a single-use ticket is still a benefit.
+tls_resumption_hosts = ${if inlist {$received_port}{587:465} {:}{*}}
 
 # In order to support roaming users who wish to send email from anywhere,
 # you may want to make Exim listen on other ports as well as port 25, in
@@ -808,6 +815,9 @@ begin transports
 remote_smtp:
   driver = smtp
   message_size_limit = ${if > {$max_received_linelength}{998} {1}{0}}
+.ifdef _HAVE_TLS
+  tls_resumption_hosts = *
+#endif
 .ifdef _HAVE_PRDR
   hosts_try_prdr = *
 .endif
@@ -848,6 +858,7 @@ smarthost_smtp:
 .ifdef _HAVE_GNUTLS
   tls_require_ciphers = SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1
 .endif
+  tls_resumption_hosts = *
 .endif
 .ifdef _HAVE_PRDR
   hosts_try_prdr = *
diff --git a/src/src/deliver.c b/src/src/deliver.c
index b681584d5..3dcd7f949 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -817,7 +817,7 @@ d_tlslog(gstring * g, address_item * addr)
 if (LOGGING(tls_cipher) && addr->cipher)
   {
   g = string_append(g, 2, US" X=", addr->cipher);
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
   if (LOGGING(tls_resumption) && testflag(addr, af_tls_resume))
     g = string_catn(g, US"*", 1);
 #endif
@@ -4773,7 +4773,7 @@ all pipes, so I do not see a reason to use non-blocking IO here
 #ifdef SUPPORT_DANE
       if (tls_out.dane_verified)        setflag(addr, af_dane_verified);
 #endif
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
       if (tls_out.resumption & RESUME_USED) setflag(addr, af_tls_resume);
 # endif
 
diff --git a/src/src/exim.c b/src/src/exim.c
index ab2d673dd..f61fe208f 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -931,6 +931,9 @@ g = string_cat(NULL, US"Support for:");
 #ifdef USE_OPENSSL
   g = string_cat(g, US" OpenSSL");
 #endif
+#ifndef DISABLE_TLS_RESUME
+  g = string_cat(g, US" TLS_resume");
+#endif
 #ifdef SUPPORT_TRANSLATE_IP_ADDRESS
   g = string_cat(g, US" translate_ip_address");
 #endif
@@ -1007,9 +1010,6 @@ g = string_cat(NULL, US"Support for:");
 #if defined(EXPERIMENTAL_SRS_ALT)
   g = string_cat(g, US" Experimental_SRS");
 #endif
-#ifdef EXPERIMENTAL_TLS_RESUME
-  g = string_cat(g, US" Experimental_TLS_resume");
-#endif
 g = string_cat(g, US"\n");
 
 g = string_cat(g, US"Lookups (built-in):");
diff --git a/src/src/expand.c b/src/src/expand.c
index 4abde0af6..732e20f97 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -779,7 +779,7 @@ static var_entry var_table[] = {
   { "tls_in_ourcert",      vtype_cert,        &tls_in.ourcert },
   { "tls_in_peercert",     vtype_cert,        &tls_in.peercert },
   { "tls_in_peerdn",       vtype_stringptr,   &tls_in.peerdn },
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
   { "tls_in_resumption",   vtype_int,         &tls_in.resumption },
 #endif
 #ifndef DISABLE_TLS
@@ -797,7 +797,7 @@ static var_entry var_table[] = {
   { "tls_out_ourcert",     vtype_cert,        &tls_out.ourcert },
   { "tls_out_peercert",    vtype_cert,        &tls_out.peercert },
   { "tls_out_peerdn",      vtype_stringptr,   &tls_out.peerdn },
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
   { "tls_out_resumption",  vtype_int,         &tls_out.resumption },
 #endif
 #ifndef DISABLE_TLS
diff --git a/src/src/globals.c b/src/src/globals.c
index 561054981..1a4e3c8ed 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -137,7 +137,7 @@ uschar *tls_ocsp_file          = NULL;
 uschar *tls_privatekey         = NULL;
 BOOL    tls_remember_esmtp     = FALSE;
 uschar *tls_require_ciphers    = NULL;
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
 uschar *tls_resumption_hosts   = NULL;
 # endif
 uschar *tls_try_verify_hosts   = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index fffe74441..1bdf338a2 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -107,7 +107,7 @@ typedef struct {
     OCSP_FAILED,		/* verify failed */
     OCSP_VFIED			/* verified */
     }     ocsp;		      /* Stapled OCSP status */
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
   unsigned resumption;		/* Session resumption */
   BOOL	  host_resumable:1;
   BOOL	  ticket_received:1;
@@ -134,7 +134,7 @@ extern uschar *tls_ocsp_file;          /* OCSP stapling proof file */
 extern uschar *tls_privatekey;         /* Private key file */
 extern BOOL    tls_remember_esmtp;     /* For YAEB */
 extern uschar *tls_require_ciphers;    /* So some can be avoided */
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
 extern uschar *tls_resumption_hosts;   /* TLS session resumption */
 # endif
 extern uschar *tls_try_verify_hosts;   /* Optional client verification */
diff --git a/src/src/macro_predef.c b/src/src/macro_predef.c
index f6cfcb14c..aeb234af7 100644
--- a/src/src/macro_predef.c
+++ b/src/src/macro_predef.c
@@ -204,7 +204,7 @@ due to conflicts with other common macros. */
 #ifdef EXPERIMENTAL_DSN_INFO
   builtin_macro_create(US"_HAVE_DSN_INFO");
 #endif
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
   builtin_macro_create(US"_HAVE_TLS_RESUME");
 #endif
 
diff --git a/src/src/readconf.c b/src/src/readconf.c
index 3921ccffb..7b474f51d 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -378,7 +378,7 @@ static optionlist optionlist_config[] = {
   { "tls_privatekey",           opt_stringptr,   {&tls_privatekey} },
   { "tls_remember_esmtp",       opt_bool,        {&tls_remember_esmtp} },
   { "tls_require_ciphers",      opt_stringptr,   {&tls_require_ciphers} },
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
   { "tls_resumption_hosts",     opt_stringptr,   {&tls_resumption_hosts} },
 # endif
   { "tls_try_verify_hosts",     opt_stringptr,   {&tls_try_verify_hosts} },
diff --git a/src/src/receive.c b/src/src/receive.c
index 0fbd35f82..df8719ec6 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -3994,7 +3994,7 @@ g = add_host_info_for_log(g);
 if (LOGGING(tls_cipher) && tls_in.cipher)
   {
   g = string_append(g, 2, US" X=", tls_in.cipher);
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
   if (LOGGING(tls_resumption) && tls_in.resumption & RESUME_USED)
     g = string_catn(g, US"*", 1);
 # endif
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index b3d1acbf9..412ef4df0 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -1801,7 +1801,7 @@ s_tlslog(gstring * g)
 if (LOGGING(tls_cipher) && tls_in.cipher)
   {
   g = string_append(g, 2, US" X=", tls_in.cipher);
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
   if (LOGGING(tls_resumption) && tls_in.resumption & RESUME_USED)
     g = string_catn(g, US"*", 1);
 #endif
diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index a0147d5ee..4b70780bc 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -683,7 +683,7 @@ for (;;)
 	tls_in.sni = string_unprinting(string_copy_taint(q+4, tainted));
       else if (Ustrncmp(q, "ocsp", 4) == 0)
 	tls_in.ocsp = q[5] - '0';
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
       else if (Ustrncmp(q, "resumption", 10) == 0)
 	tls_in.resumption = q[11] - 'A';
 # endif
diff --git a/src/src/spool_out.c b/src/src/spool_out.c
index 539ad3d72..5d658fd74 100644
--- a/src/src/spool_out.c
+++ b/src/src/spool_out.c
@@ -261,7 +261,7 @@ if (tls_in.ourcert)
     fprintf(fp, "-tls_ourcert %s\n", CS big_buffer);
   }
 if (tls_in.ocsp)	 fprintf(fp, "-tls_ocsp %d\n",   tls_in.ocsp);
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
 fprintf(fp, "-tls_resumption %c\n", 'A' + tls_in.resumption);
 # endif
 if (tls_in.ver) spool_var_write(fp, US"tls_ver", tls_in.ver);
diff --git a/src/src/structs.h b/src/src/structs.h
index e1d989af2..9aab603f8 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -644,7 +644,7 @@ typedef struct address_item {
 #ifdef SUPPORT_I18N
     BOOL af_utf8_downcvt:1;		/* downconvert was done for delivery */
 #endif
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
     BOOL af_tls_resume:1;		/* TLS used a resumed session */
 #endif
   } flags;
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 24114f05e..c8017a733 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -111,7 +111,7 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 # endif
 #endif
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 # if GNUTLS_VERSION_NUMBER < 0x030603
 #  error GNUTLS version too early for session-resumption
 # endif
@@ -131,7 +131,7 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 void
 options_tls(void)
 {
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
 # endif
 # ifdef EXIM_HAVE_TLS1_3
@@ -266,7 +266,7 @@ static BOOL gnutls_buggy_ocsp = FALSE;
 static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
 #endif
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 static gnutls_datum_t server_sessticket_key;
 #endif
 
@@ -326,7 +326,7 @@ static void exim_gnutls_logger_cb(int level, const char *message);
 
 static int exim_sni_handling_cb(gnutls_session_t session);
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 static int
 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
   unsigned incoming, const gnutls_datum_t * msg);
@@ -337,7 +337,7 @@ tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
 void
 tls_daemon_init(void)
 {
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 /* We are dependent on the GnuTLS implementation of the Session Ticket
 encryption; both the strength and the key rotation period.  We hope that
 the strength at least matches that of the ciphersuite (but GnuTLS does not
@@ -1003,7 +1003,7 @@ So we need to spot the Certificate handshake message, parse it and spot any stat
 This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
 */
 
-#if defined(EXPERIMENTAL_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+#if !defined(DISABLE_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
 /* Callback for certificate-status, on server. We sent stapled OCSP. */
 static int
 tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
@@ -1035,7 +1035,7 @@ switch (htype)
 # endif
   case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
     return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
   case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
     return tls_server_ticket_cb(sess, htype, when, incoming, msg);
 # endif
@@ -2328,7 +2328,7 @@ else
 }
 
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 static int
 tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
   unsigned incoming, const gnutls_datum_t * msg)
@@ -2442,7 +2442,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
 #endif
   }
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 tls_server_resume_prehandshake(state);
 #endif
 
@@ -2550,7 +2550,7 @@ if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
   tls_in.ext_master_secret = TRUE;
 #endif
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 tls_server_resume_posthandshake(state);
 #endif
 
@@ -2683,7 +2683,7 @@ return TRUE;
 
 
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 /* On the client, get any stashed session for the given IP from hints db
 and apply it to the ssl-connection for attempted resumption.  Although
 there is a gnutls_session_ticket_enable_client() interface it is
@@ -2816,7 +2816,7 @@ if (gnutls_session_is_resumed(state->session))
 
 tls_save_session(tlsp, state->session, host);
 }
-#endif	/* EXPERIMENTAL_TLS_RESUME */
+#endif	/* !DISABLE_TLS_RESUME */
 
 
 /*************************************************
@@ -2970,7 +2970,7 @@ if (request_ocsp)
   }
 #endif
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 tls_client_resume_prehandshake(state, tlsp, host, ob);
 #endif
 
@@ -3070,7 +3070,7 @@ if (request_ocsp)
   }
 #endif
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 tls_client_resume_posthandshake(state, tlsp, host);
 #endif
 
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 0caf1c0ff..673768a56 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -116,7 +116,7 @@ change this guard and punt the issue for a while longer. */
 # define DISABLE_OCSP
 #endif
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 # if OPENSSL_VERSION_NUMBER < 0x0101010L
 #  error OpenSSL version too old for session-resumption
 # endif
@@ -292,7 +292,7 @@ for (struct exim_openssl_option * o = exim_openssl_options;
   builtin_macro_create(buf);
   }
 
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
 # endif
 # ifdef SSL_OP_NO_TLSv1_3
@@ -422,7 +422,7 @@ static int tls_server_stapling_cb(SSL *s, void *arg);
 
 
 /* Daemon-called, before every connection, key create/rotate */
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 static void tk_init(void);
 static int tls_exdata_idx = -1;
 #endif
@@ -430,7 +430,7 @@ static int tls_exdata_idx = -1;
 void
 tls_daemon_init(void)
 {
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 tk_init();
 #endif
 return;
@@ -891,7 +891,7 @@ fclose(fp);
 #endif
 
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 /* Manage the keysets used for encrypting the session tickets, on the server. */
 
 typedef struct {			/* Session ticket encryption key */
@@ -2176,12 +2176,12 @@ availability of the option value macros from OpenSSL.  */
 if (!tls_openssl_options_parse(openssl_options, &init_options))
   return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 tlsp->resumption = RESUME_SUPPORTED;
 #endif
 if (init_options)
   {
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
   /* Should the server offer session resumption? */
   if (!host && verify_check_host(&tls_resumption_hosts) == OK)
     {
@@ -2685,12 +2685,12 @@ else if (verify_check_host(&tls_try_verify_hosts) == OK)
   server_verify_optional = TRUE;
   }
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
 /* despite working, appears to always return failure, so ignoring */
 #endif
 #ifdef OPENSSL_HAVE_NUM_TICKETS
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
 SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
 # else
 SSL_CTX_set_num_tickets(server_ctx, 0);	/* send no TLS1.3 stateful-tickets */
@@ -2796,7 +2796,7 @@ DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
 ERR_clear_error();	/* Even success can leave errors in the stack. Seen with
 			anon-authentication ciphersuite negotiated. */
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 if (SSL_session_reused(server_ssl))
   {
   tls_in.resumption |= RESUME_USED;
@@ -2983,7 +2983,7 @@ return DEFER;
 
 
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 /* On the client, get any stashed session for the given IP from hints db
 and apply it to the ssl-connection for attempted resumption. */
 
@@ -3145,7 +3145,7 @@ if (SSL_session_reused(exim_client_ctx->ssl))
   tlsp->resumption |= RESUME_USED;
   }
 }
-#endif	/* EXPERIMENTAL_TLS_RESUME */
+#endif	/* !DISABLE_TLS_RESUME */
 
 
 /*************************************************
@@ -3294,7 +3294,7 @@ else
 	client_static_cbinfo, errstr) != OK)
     return FALSE;
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
 #endif
 
@@ -3365,7 +3365,7 @@ if (request_ocsp)
   }
 #endif
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
       errstr))
   return FALSE;
@@ -3406,7 +3406,7 @@ DEBUG(D_tls)
 #endif
   }
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 tls_client_resume_posthandshake(exim_client_ctx, tlsp);
 #endif
 
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 8492a7f25..f47c6d92f 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -127,7 +127,7 @@ optionlist smtp_transport_options[] = {
   { "tls_dh_min_bits",      opt_int,	   LOFF(tls_dh_min_bits) },
   { "tls_privatekey",       opt_stringptr, LOFF(tls_privatekey) },
   { "tls_require_ciphers",  opt_stringptr, LOFF(tls_require_ciphers) },
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
   { "tls_resumption_hosts", opt_stringptr, LOFF(tls_resumption_hosts) },
 # endif
   { "tls_sni",              opt_stringptr, LOFF(tls_sni) },
@@ -233,7 +233,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   .tls_verify_certificates =	US"system",
   .tls_dh_min_bits =		EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
   .tls_tempfail_tryclear =	TRUE,
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
   .tls_resumption_hosts =	NULL,
 # endif
   .tls_verify_hosts =		NULL,
@@ -1970,7 +1970,7 @@ tls_out.peerdn = NULL;
 tls_out.sni = NULL;
 #endif
 tls_out.ocsp = OCSP_NOT_REQ;
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 tls_out.resumption = 0;
 #endif
 tls_out.ver = NULL;
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index 6e63a002d..037105a00 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -84,7 +84,7 @@ typedef struct {
   uschar *tls_crl;
   uschar *tls_privatekey;
   uschar *tls_require_ciphers;
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
   uschar *tls_resumption_hosts;
 # endif
   uschar *tls_sni;
author	Jeremy Harris <jgh146exb@wizmail.org>	2020-05-10 12:08:50 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2020-05-10 15:22:20 +0100
commit	2983e1a616058c03b57f1ab32a691f8b8ff9764e (patch)
tree	1a60bc0d87945b70f0810ffcf69d50792a16bb1c /src
parent	7adc9ca07a9a870f92a14d16740abfecde0bdfa4 (diff)