[exim-dev] [Bug 1421] New: SSL/TLS version string generation…

Top Page
Delete this message
Reply to this message
Author: Bernard Quatermass
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 1421] SSL/TLS version string generation does not cope with later versions, [exim-dev] [Bug 1421] SSL/TLS version string generation does not cope with later versions, [exim-dev] [Bug 1421] SSL/TLS version string generation does not cope with later versions, [exim-dev] [Bug 1421] SSL/TLS version string generation does not cope with later versions
Subject: [exim-dev] [Bug 1421] New: SSL/TLS version string generation does not cope with later versions
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1421
           Summary: SSL/TLS version string generation does not cope with
                    later versions
           Product: Exim
           Version: 4.82
          Platform: Other
        OS/Version: All
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
        AssignedTo: pdp@???
        ReportedBy: bqexim@???
                CC: exim-dev@???



Created an attachment (id=672)
--> (http://bugs.exim.org/attachment.cgi?id=672)
use openssl lookup function for ssl_version to string

Having upgraded system from rhel6.4 to rhel6.5 the openssl library has changed
from 1.0.0 to 1.0.1e which adds TLSv1.1 & TLSv1.2 (amongst other things).

As a result of this the log lines from exim give the ssl version as UNKNOWN
when using TLS > 1.0,

    X=UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256


The system is actually using TLSv1.2 but due to the compile-time hard-coding of
version strings does not display it as such.

Simply recompiling against the newer sources enables the extra values in

    src/tls-openssl.c - construct_cipher_name()


and produces a more useful result

    X=TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256


but this is a less than satisfying solution.


There appears to be no openssl lookup function that takes an ssl_version
directly that returns the corresponding string. However, there is

    const char *SSL_get_version(const SSL *s)
    {
        if (s->version == TLS1_2_VERSION)
                return("TLSv1.2");
        ...


which is present in every openssl version (0.9.1 onwards at least) and it
appears that the session->ssl_version is essentially always a copy of the
SSL->version.

Admittedly the string can't be fixed without some form of rebuild but at least
it can be future-proofed.

Attached is a patch against 4.82 which calls the openssl function instead.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email