Re: [exim-dev] CentOS 5's old openssl and TLS support

Página Inicial
Delete this message
Reply to this message
Autor: Dr Andrew C Aitchison
Data:  
Para: exim-dev
Assunto: Re: [exim-dev] CentOS 5's old openssl and TLS support
On Mon, 21 May 2012, Phil Pennock wrote:

> On 2012-05-21 at 07:40 -0700, Todd Lyons wrote:
>> On Sun, May 20, 2012 at 4:32 PM, Phil Pennock <pdp@???> wrote:
>>> On 2012-05-20 at 08:02 -0700, Todd Lyons wrote:
>>>> Do we need to add some detection of openssl version or is this also going
>>>> to be a backwards incompatible change?
>>> There's some around registering the callback but not around defining the
>>> content, an oversight. I'll clean it up a little.
>>
>> Is this possibly one more of those functions that needs a little detection
>> wrapping?
>
> It's the client-side sending of SNI.
>
> Try this.
>
> diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
> index eeab9c1..ebc5a62 100644


This patch does the trick on Scientific Linux 5 too.
Thanks.

> --- a/src/src/tls-openssl.c
> +++ b/src/src/tls-openssl.c
> @@ -46,7 +46,9 @@ static BOOL verify_callback_called = FALSE;
> static const uschar *sid_ctx = US"exim";
>
> static SSL_CTX *ctx = NULL;
> +#ifdef EXIM_HAVE_OPENSSL_TLSEXT
> static SSL_CTX *ctx_sni = NULL;
> +#endif
> static SSL *ssl = NULL;
>
> static char ssl_errstring[256];
> @@ -1257,8 +1259,14 @@ if (sni)
>     tls_sni = NULL;
>   else
>     {
> +#ifdef EXIM_HAVE_OPENSSL_TLSEXT
>     DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
>     SSL_set_tlsext_host_name(ssl, tls_sni);
> +#else
> +    DEBUG(D_tls)
> +      debug_printf("OpenSSL at build-time lacked SNI support, ignoring \"%s\"\n",
> +          tls_sni);
> +#endif
>     }
>   }


-- 
Dr. Andrew C. Aitchison        Computer Officer, DPMMS, Cambridge
A.C.Aitchison@???    http://www.dpmms.cam.ac.uk/~werdna