summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/src/EDITME12
-rw-r--r--src/src/config.h.defaults3
-rw-r--r--src/src/deliver.c4
-rw-r--r--src/src/exim.c6
-rw-r--r--src/src/globals.c2
-rw-r--r--src/src/globals.h2
-rw-r--r--src/src/readconf.c2
-rw-r--r--src/src/tls-gnu.c15
-rw-r--r--src/src/tls-openssl.c44
-rw-r--r--src/src/transports/smtp.c6
-rw-r--r--src/src/transports/smtp.h2
11 files changed, 51 insertions, 47 deletions
diff --git a/src/src/EDITME b/src/src/EDITME
index 0d31ba5c1..d576fd7a3 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -416,6 +416,13 @@ EXIM_MONITOR=eximon.bin
# DISABLE_PRDR=yes
#------------------------------------------------------------------------------
+# Uncomment the following line to remove OCSP stapling support in TLS,
+# from Exim. Note it can only be supported when built with
+# GnuTLS 3.1.3 or later, or OpenSSL
+
+# DISABLE_OCSP=yes
+
+#------------------------------------------------------------------------------
# By default, Exim has support for checking the AD bit in a DNS response, to
# determine if DNSSEC validation was successful. If your system libraries
# do not support that bit, then set DISABLE_DNSSEC to "yes"
@@ -459,11 +466,6 @@ EXIM_MONITOR=eximon.bin
# CFLAGS += -I/opt/brightmail/bsdk-6.0/include
# LDFLAGS += -lxml2_single -lbmiclient_single -L/opt/brightmail/bsdk-6.0/lib
-# Uncomment the following line to add OCSP stapling support in TLS, if Exim
-# was built using OpenSSL, or with GnuTLS 3.1.3 or later.
-
-# EXPERIMENTAL_OCSP=yes
-
# Uncomment the following line to add DMARC checking capability, implemented
# using libopendmarc libraries.
# EXPERIMENTAL_DMARC=yes
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index 0bb97a231..ba4615c11 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -41,6 +41,8 @@ it's a default value. */
#define DELIVER_IN_BUFFER_SIZE 8192
#define DELIVER_OUT_BUFFER_SIZE 8192
#define DISABLE_DKIM
+#define DISABLE_PRDR
+#define DISABLE_OCSP
#define DISABLE_DNSSEC
#define DISABLE_D_OPTION
@@ -169,7 +171,6 @@ it's a default value. */
#define EXPERIMENTAL_DCC
#define EXPERIMENTAL_DMARC
#define EXPERIMENTAL_DSN
-#define EXPERIMENTAL_OCSP
#define EXPERIMENTAL_PROXY
#define EXPERIMENTAL_REDIS
#define EXPERIMENTAL_SPF
diff --git a/src/src/deliver.c b/src/src/deliver.c
index 68c04877e..70f6a7a21 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -3019,7 +3019,7 @@ while (!done)
(void) tls_import_cert(ptr, &addr->ourcert);
break;
- #ifdef EXPERIMENTAL_OCSP
+ #ifndef DISABLE_OCSP
case '4':
addr->ocsp = OCSP_NOT_REQ;
if (*ptr)
@@ -4167,7 +4167,7 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++)
*ptr++ = 0;
rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer);
}
- # ifdef EXPERIMENTAL_OCSP
+ #ifndef DISABLE_OCSP
if (addr->ocsp > OCSP_NOT_REQ)
{
ptr = big_buffer;
diff --git a/src/src/exim.c b/src/src/exim.c
index 1435a0ac4..517b5435e 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -808,6 +808,9 @@ fprintf(f, "Support for:");
#ifndef DISABLE_PRDR
fprintf(f, " PRDR");
#endif
+#ifndef DISABLE_OCSP
+ fprintf(f, " OCSP");
+#endif
#ifdef EXPERIMENTAL_SPF
fprintf(f, " Experimental_SPF");
#endif
@@ -823,9 +826,6 @@ fprintf(f, "Support for:");
#ifdef EXPERIMENTAL_DMARC
fprintf(f, " Experimental_DMARC");
#endif
-#ifdef EXPERIMENTAL_OCSP
- fprintf(f, " Experimental_OCSP");
-#endif
#ifdef EXPERIMENTAL_PROXY
fprintf(f, " Experimental_Proxy");
#endif
diff --git a/src/src/globals.c b/src/src/globals.c
index f8166aadf..b3d2ab8c5 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -150,7 +150,7 @@ that's the interop problem which has been observed: GnuTLS suggesting a higher
bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */
int tls_dh_max_bits = 2236;
uschar *tls_dhparam = NULL;
-#if defined(EXPERIMENTAL_OCSP)
+#ifndef DISABLE_OCSP
uschar *tls_ocsp_file = NULL;
#endif
BOOL tls_offered = FALSE;
diff --git a/src/src/globals.h b/src/src/globals.h
index c2ab99b9c..cf9b61eff 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -114,7 +114,7 @@ extern uschar *tls_channelbinding_b64; /* string of base64 channel binding */
extern uschar *tls_crl; /* CRL File */
extern int tls_dh_max_bits; /* don't accept higher lib suggestions */
extern uschar *tls_dhparam; /* DH param file */
-#if defined(EXPERIMENTAL_OCSP)
+#ifndef DISABLE_OCSP
extern uschar *tls_ocsp_file; /* OCSP stapling proof file */
#endif
extern BOOL tls_offered; /* Server offered TLS */
diff --git a/src/src/readconf.c b/src/src/readconf.c
index 11f7184a6..fb1476365 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -439,7 +439,7 @@ static optionlist optionlist_config[] = {
{ "tls_crl", opt_stringptr, &tls_crl },
{ "tls_dh_max_bits", opt_int, &tls_dh_max_bits },
{ "tls_dhparam", opt_stringptr, &tls_dhparam },
-# if defined(EXPERIMENTAL_OCSP)
+# ifndef DISABLE_OCSP
{ "tls_ocsp_file", opt_stringptr, &tls_ocsp_file },
# endif
{ "tls_on_connect_ports", opt_stringptr, &tls_in.on_connect_ports },
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index af43686e4..e85095d65 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -43,7 +43,7 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
#if GNUTLS_VERSION_NUMBER >= 0x020c00
# include <gnutls/pkcs11.h>
#endif
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
# include <gnutls/ocsp.h>
#endif
@@ -216,7 +216,7 @@ static void exim_gnutls_logger_cb(int level, const char *message);
static int exim_sni_handling_cb(gnutls_session_t session);
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
gnutls_datum_t * ocsp_response);
#endif
@@ -809,7 +809,7 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
/* Set the OCSP stapling server info */
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
if ( !host /* server */
&& tls_ocsp_file
)
@@ -1485,7 +1485,7 @@ return 0;
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
static int
server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
@@ -1705,7 +1705,7 @@ smtp_transport_options_block *ob = v_ob;
int rc;
const char *error;
exim_gnutls_state_st *state = NULL;
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
NULL, host->name, host->address, NULL) == OK;
BOOL request_ocsp = require_ocsp ? TRUE
@@ -1787,7 +1787,8 @@ else
gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
}
-#ifdef EXPERIMENTAL_OCSP /* since GnuTLS 3.1.3 */
+#ifndef DISABLE_OCSP
+ /* supported since GnuTLS 3.1.3 */
if (request_ocsp)
{
DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
@@ -1827,7 +1828,7 @@ if (state->verify_requirement != VERIFY_NONE &&
!verify_certificate(state, &error))
return tls_error(US"certificate verification failed", error, state->host);
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
if (require_ocsp)
{
DEBUG(D_tls)
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 1d6b91470..05af3db88 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -22,13 +22,13 @@ functions from the OpenSSL library. */
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/rand.h>
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
# include <openssl/ocsp.h>
#endif
-#ifdef EXPERIMENTAL_OCSP
-#define EXIM_OCSP_SKEW_SECONDS (300L)
-#define EXIM_OCSP_MAX_AGE (-1L)
+#ifndef DISABLE_OCSP
+# define EXIM_OCSP_SKEW_SECONDS (300L)
+# define EXIM_OCSP_MAX_AGE (-1L)
#endif
#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
@@ -88,7 +88,7 @@ static BOOL reexpand_tls_files_for_sni = FALSE;
typedef struct tls_ext_ctx_cb {
uschar *certificate;
uschar *privatekey;
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
BOOL is_server;
union {
struct {
@@ -127,7 +127,7 @@ setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL opt
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg);
#endif
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
static int tls_server_stapling_cb(SSL *s, void *arg);
#endif
@@ -213,7 +213,7 @@ return rsa_key;
/* Extreme debug
-#if defined(EXPERIMENTAL_OCSP)
+#ifndef DISABLE_OCSP
void
x509_store_dump_cert_s_names(X509_STORE * store)
{
@@ -295,7 +295,7 @@ else if (X509_STORE_CTX_get_error_depth(x509ctx) != 0)
{
DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n",
X509_STORE_CTX_get_error_depth(x509ctx), txt);
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
{ /* client, wanting stapling */
/* Add the server cert's signing chain as the one
@@ -486,7 +486,7 @@ return TRUE;
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
/*************************************************
* Load OCSP information into state *
*************************************************/
@@ -620,7 +620,7 @@ bad:
}
return;
}
-#endif /*EXPERIMENTAL_OCSP*/
+#endif /*!DISABLE_OCSP*/
@@ -682,7 +682,7 @@ if (expanded != NULL && *expanded != 0)
"SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL);
}
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL)
{
if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
@@ -772,7 +772,7 @@ SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo);
if (cbinfo->server_cipher_list)
SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list);
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
if (cbinfo->u_ocsp.server.file)
{
SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb);
@@ -801,7 +801,7 @@ return SSL_TLSEXT_ERR_OK;
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
/*************************************************
* Callback to handle OCSP Stapling *
@@ -985,7 +985,7 @@ if(!(bs = OCSP_response_get1_basic(rsp)))
OCSP_RESPONSE_free(rsp);
return i;
}
-#endif /*EXPERIMENTAL_OCSP*/
+#endif /*!DISABLE_OCSP*/
@@ -1011,7 +1011,7 @@ Returns: OK/DEFER/FAIL
static int
tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate,
uschar *privatekey,
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
uschar *ocsp_file,
#endif
address_item *addr, tls_ext_ctx_cb ** cbp)
@@ -1024,7 +1024,7 @@ tls_ext_ctx_cb *cbinfo;
cbinfo = store_malloc(sizeof(tls_ext_ctx_cb));
cbinfo->certificate = certificate;
cbinfo->privatekey = privatekey;
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
if ((cbinfo->is_server = host==NULL))
{
cbinfo->u_ocsp.server.file = ocsp_file;
@@ -1126,7 +1126,7 @@ if (rc != OK) return rc;
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
if (host == NULL) /* server */
{
-# ifdef EXPERIMENTAL_OCSP
+# ifndef DISABLE_OCSP
/* We check u_ocsp.server.file, not server.response, because we care about if
the option exists, not what the current expansion might be, as SNI might
change the certificate and OCSP file in use between now and the time the
@@ -1142,7 +1142,7 @@ if (host == NULL) /* server */
SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb);
SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo);
}
-# ifdef EXPERIMENTAL_OCSP
+# ifndef DISABLE_OCSP
else /* client */
if(ocsp_file) /* wanting stapling */
{
@@ -1379,7 +1379,7 @@ if (tls_in.active >= 0)
the error. */
rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey,
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
tls_ocsp_file,
#endif
NULL, &server_static_cbinfo);
@@ -1549,7 +1549,7 @@ uschar *expciphers;
X509* server_cert;
int rc;
static uschar cipherbuf[256];
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
NULL, host->name, host->address, NULL) == OK;
BOOL request_ocsp = require_ocsp ? TRUE
@@ -1559,7 +1559,7 @@ BOOL request_ocsp = require_ocsp ? TRUE
rc = tls_init(&client_ctx, host, NULL,
ob->tls_certificate, ob->tls_privatekey,
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
(void *)(long)request_ocsp,
#endif
addr, &client_static_cbinfo);
@@ -1647,7 +1647,7 @@ if (ob->tls_sni)
}
}
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
/* Request certificate status at connection-time. If the server
does OCSP stapling we will get the callback (set in tls_init()) */
if (request_ocsp)
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 38dcfa080..db424fa61 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -102,14 +102,14 @@ optionlist smtp_transport_options[] = {
(void *)offsetof(smtp_transport_options_block, hosts_override) },
{ "hosts_randomize", opt_bool,
(void *)offsetof(smtp_transport_options_block, hosts_randomize) },
-#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_OCSP)
+#if defined(SUPPORT_TLS) && !defined(DISABLE_OCSP)
{ "hosts_request_ocsp", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) },
#endif
{ "hosts_require_auth", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_auth) },
#ifdef SUPPORT_TLS
-# if defined EXPERIMENTAL_OCSP
+# ifndef DISABLE_OCSP
{ "hosts_require_ocsp", opt_stringptr,
(void *)offsetof(smtp_transport_options_block, hosts_require_ocsp) },
# endif
@@ -203,7 +203,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
#ifndef DISABLE_PRDR
NULL, /* hosts_try_prdr */
#endif
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
US"*", /* hosts_request_ocsp */
NULL, /* hosts_require_ocsp */
#endif
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index a481943bb..dd41e1f15 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -24,7 +24,7 @@ typedef struct {
#ifndef DISABLE_PRDR
uschar *hosts_try_prdr;
#endif
-#ifdef EXPERIMENTAL_OCSP
+#ifndef DISABLE_OCSP
uschar *hosts_request_ocsp;
uschar *hosts_require_ocsp;
#endif