diff options
-rw-r--r-- | doc/doc-docbook/spec.xfpt | 4 | ||||
-rw-r--r-- | src/src/tls-gnu.c | 30 | ||||
-rw-r--r-- | test/scripts/5890-Resume-GnuTLS/REQUIRES | 2 | ||||
-rw-r--r-- | test/scripts/5891-Resume-OpenSSL/REQUIRES | 2 |
4 files changed, 20 insertions, 18 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 5f5538e64..be3e7c925 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -29462,7 +29462,7 @@ Session resumption (this is the "stateless" variant) involves the server sending a "session ticket" to the client on one connection, which can be stored by the client and used for a later session. The ticket contains sufficient state for the server to reconstruct the TLS session, avoiding some expensive crypto -calculation and one full packet roundtrip time. +calculation and (on TLS1.2) one full packet roundtrip time. .ilist Operational cost/benefit: @@ -29509,7 +29509,7 @@ Observability: server issued ticket, resume used. A suitable decode list is provided in the builtin macro _RESUME_DECODE for in &%listextract%& expansions. -.next: +.next Control: The &%tls_resumption_hosts%& main option specifies a hostlist for which diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index c8017a733..a351c34d6 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -112,8 +112,10 @@ require current GnuTLS, then we'll drop support for the ancient libraries). #endif #ifndef DISABLE_TLS_RESUME -# if GNUTLS_VERSION_NUMBER < 0x030603 -# error GNUTLS version too early for session-resumption +# if GNUTLS_VERSION_NUMBER >= 0x030603 +# define EXIM_HAVE_TLS_RESUME +# else +# warning "GnuTLS library version too old; resumption unsupported" # endif #endif @@ -266,7 +268,7 @@ static BOOL gnutls_buggy_ocsp = FALSE; static BOOL exim_testharness_disable_ocsp_validity_check = FALSE; #endif -#ifndef DISABLE_TLS_RESUME +#ifdef EXIM_HAVE_TLS_RESUME static gnutls_datum_t server_sessticket_key; #endif @@ -326,7 +328,7 @@ static void exim_gnutls_logger_cb(int level, const char *message); static int exim_sni_handling_cb(gnutls_session_t session); -#ifndef DISABLE_TLS_RESUME +#ifdef EXIM_HAVE_TLS_RESUME static int tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when, unsigned incoming, const gnutls_datum_t * msg); @@ -337,7 +339,7 @@ tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when, void tls_daemon_init(void) { -#ifndef DISABLE_TLS_RESUME +#ifdef EXIM_HAVE_TLS_RESUME /* We are dependent on the GnuTLS implementation of the Session Ticket encryption; both the strength and the key rotation period. We hope that the strength at least matches that of the ciphersuite (but GnuTLS does not @@ -1000,10 +1002,10 @@ return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0); "Handshake Protocol: Certificate" record. So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s) -This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term). +This is different to tls1.2 - where it is a separate record (wireshark term) / handshake message (gnutls term). */ -#if !defined(DISABLE_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE) +#if defined(EXIM_HAVE_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE) /* Callback for certificate-status, on server. We sent stapled OCSP. */ static int tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype, @@ -1035,7 +1037,7 @@ switch (htype) # endif case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS: return tls_server_certstatus_cb(sess, htype, when, incoming, msg); -# ifndef DISABLE_TLS_RESUME +# ifdef EXIM_HAVE_TLS_RESUME case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: return tls_server_ticket_cb(sess, htype, when, incoming, msg); # endif @@ -2328,7 +2330,7 @@ else } -#ifndef DISABLE_TLS_RESUME +#ifdef EXIM_HAVE_TLS_RESUME static int tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when, unsigned incoming, const gnutls_datum_t * msg) @@ -2442,7 +2444,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n"); #endif } -#ifndef DISABLE_TLS_RESUME +#ifdef EXIM_HAVE_TLS_RESUME tls_server_resume_prehandshake(state); #endif @@ -2550,7 +2552,7 @@ if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET) tls_in.ext_master_secret = TRUE; #endif -#ifndef DISABLE_TLS_RESUME +#ifdef EXIM_HAVE_TLS_RESUME tls_server_resume_posthandshake(state); #endif @@ -2683,7 +2685,7 @@ return TRUE; -#ifndef DISABLE_TLS_RESUME +#ifdef EXIM_HAVE_TLS_RESUME /* On the client, get any stashed session for the given IP from hints db and apply it to the ssl-connection for attempted resumption. Although there is a gnutls_session_ticket_enable_client() interface it is @@ -2970,7 +2972,7 @@ if (request_ocsp) } #endif -#ifndef DISABLE_TLS_RESUME +#ifdef EXIM_HAVE_TLS_RESUME tls_client_resume_prehandshake(state, tlsp, host, ob); #endif @@ -3070,7 +3072,7 @@ if (request_ocsp) } #endif -#ifndef DISABLE_TLS_RESUME +#ifdef EXIM_HAVE_TLS_RESUME tls_client_resume_posthandshake(state, tlsp, host); #endif diff --git a/test/scripts/5890-Resume-GnuTLS/REQUIRES b/test/scripts/5890-Resume-GnuTLS/REQUIRES index 2f12f2742..7f34d4f81 100644 --- a/test/scripts/5890-Resume-GnuTLS/REQUIRES +++ b/test/scripts/5890-Resume-GnuTLS/REQUIRES @@ -1,3 +1,3 @@ support GnuTLS running IPv4 -support Experimental_TLS_resume +support TLS_resume diff --git a/test/scripts/5891-Resume-OpenSSL/REQUIRES b/test/scripts/5891-Resume-OpenSSL/REQUIRES index 027b4dcab..8e3a29f53 100644 --- a/test/scripts/5891-Resume-OpenSSL/REQUIRES +++ b/test/scripts/5891-Resume-OpenSSL/REQUIRES @@ -1,3 +1,3 @@ support OpenSSL running IPv4 -support Experimental_TLS_resume +support TLS_resume |