------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1421
Summary: SSL/TLS version string generation does not cope with
later versions
Product: Exim
Version: 4.82
Platform: Other
OS/Version: All
Status: NEW
Severity: bug
Priority: medium
Component: TLS
AssignedTo: pdp@???
ReportedBy: bqexim@???
CC: exim-dev@???
Created an attachment (id=672)
--> (
http://bugs.exim.org/attachment.cgi?id=672)
use openssl lookup function for ssl_version to string
Having upgraded system from rhel6.4 to rhel6.5 the openssl library has changed
from 1.0.0 to 1.0.1e which adds TLSv1.1 & TLSv1.2 (amongst other things).
As a result of this the log lines from exim give the ssl version as UNKNOWN
when using TLS > 1.0,
X=UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256
The system is actually using TLSv1.2 but due to the compile-time hard-coding of
version strings does not display it as such.
Simply recompiling against the newer sources enables the extra values in
src/tls-openssl.c - construct_cipher_name()
and produces a more useful result
X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256
but this is a less than satisfying solution.
There appears to be no openssl lookup function that takes an ssl_version
directly that returns the corresponding string. However, there is
const char *SSL_get_version(const SSL *s)
{
if (s->version == TLS1_2_VERSION)
return("TLSv1.2");
...
which is present in every openssl version (0.9.1 onwards at least) and it
appears that the session->ssl_version is essentially always a copy of the
SSL->version.
Admittedly the string can't be fixed without some form of rebuild but at least
it can be future-proofed.
Attached is a patch against 4.82 which calls the openssl function instead.
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
