Re: [exim-dev] CentOS 5's old openssl and TLS support

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Todd Lyons
CC: exim-dev
New-Topics: Re: [exim-dev] CentOS 5's old openssl and TLS support
Subject: Re: [exim-dev] CentOS 5's old openssl and TLS support
On 2012-05-21 at 07:40 -0700, Todd Lyons wrote:
> On Sun, May 20, 2012 at 4:32 PM, Phil Pennock <pdp@???> wrote:
> > On 2012-05-20 at 08:02 -0700, Todd Lyons wrote:
> >> Do we need to add some detection of openssl version or is this also going
> >> to be a backwards incompatible change?
> > There's some around registering the callback but not around defining the
> > content, an oversight. I'll clean it up a little.
>
> Is this possibly one more of those functions that needs a little detection
> wrapping?


It's the client-side sending of SNI.

Try this.

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index eeab9c1..ebc5a62 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -46,7 +46,9 @@ static BOOL verify_callback_called = FALSE;
static const uschar *sid_ctx = US"exim";

static SSL_CTX *ctx = NULL;
+#ifdef EXIM_HAVE_OPENSSL_TLSEXT
static SSL_CTX *ctx_sni = NULL;
+#endif
static SSL *ssl = NULL;

 static char ssl_errstring[256];
@@ -1257,8 +1259,14 @@ if (sni)
     tls_sni = NULL;
   else
     {
+#ifdef EXIM_HAVE_OPENSSL_TLSEXT
     DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
     SSL_set_tlsext_host_name(ssl, tls_sni);
+#else
+    DEBUG(D_tls)
+      debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
+          tls_sni);
+#endif
     }
   }