diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-05-06 16:19:15 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2019-05-07 22:45:51 +0100 |
| commit | f4e62a871680af98f14beb5f21dbe3b85c5c35ff (patch) | |
| tree | 45a11d0f4ca8c72acf8373c37f1c52f4a9d722f6 /src | |
| parent | dea4b5684c694c41105215bdb25f8e91b7c35c5d (diff) | |
OpenSSL: fix tls_try_verify_hosts under resumption
Diffstat (limited to 'src')
| -rw-r--r-- | src/src/dbstuff.h | 1 | ||||
| -rw-r--r-- | src/src/tls-openssl.c | 8 |
2 files changed, 7 insertions, 2 deletions
diff --git a/src/src/dbstuff.h b/src/src/dbstuff.h index 6b1ae0ebb..227de39e5 100644 --- a/src/src/dbstuff.h +++ b/src/src/dbstuff.h @@ -807,6 +807,7 @@ typedef struct { typedef struct { time_t time_stamp; /*************/ + uschar verify_override; uschar session[1]; } dbdata_tls_session; diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 3092dce2e..39e7fc8f4 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -586,6 +586,7 @@ if (!X509_NAME_oneline(X509_get_subject_name(cert), CS dn, sizeof(dn))) } dn[sizeof(dn)-1] = '\0'; +tlsp->verify_override = FALSE; if (preverify_ok == 0) { uschar * extra = verify_mode ? string_sprintf(" (during %c-verify for [%s])", @@ -2174,7 +2175,8 @@ if (tlsp->peercert) when it actually failed but we're in try-verify mode, due to us wanting the knowlege that it failed so needing to have the callback and forcing a permissive return. If we don't force it, the TLS startup is failed. - Hence the verify_override bodge - though still a problem for resumption. */ + The extra bit of information is set in verify_override in the cb, stashed + for resumption next to the TLS session, and used here. */ if (!tlsp->verify_override) tlsp->certificate_verified = SSL_get_verify_result(ssl) == X509_V_OK; @@ -2756,6 +2758,7 @@ if (tlsp->host_resumable) { DEBUG(D_tls) debug_printf("good session\n"); tlsp->resumption |= RESUME_CLIENT_SUGGESTED; + tlsp->verify_override = dt->verify_override; } } else @@ -2791,7 +2794,8 @@ if (SSL_SESSION_is_resumable(ss)) /* 1.1.1 */ DEBUG(D_tls) debug_printf("session is resumable\n"); tlsp->resumption |= RESUME_SERVER_TICKET; /* server gave us a ticket */ - len = i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */ + dt->verify_override = tlsp->verify_override; + (void) i2d_SSL_SESSION(ss, &s); /* s gets bumped to end */ if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE))) { |