Gitweb:
https://git.exim.org/exim.git/commitdiff/43e2db44c657b07340368eae5dd05e51eab829fb
Commit: 43e2db44c657b07340368eae5dd05e51eab829fb
Parent: e570d1363603ca4a58401008541408d74cd0ce40
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Thu May 2 21:01:43 2019 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Thu May 2 21:01:43 2019 +0100
TLS: library version build-time checks for resumption support
---
doc/doc-txt/experimental-spec.txt | 5 +++--
src/src/tls-gnu.c | 8 ++++++--
src/src/tls-openssl.c | 6 ++++++
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index a2861c4..feecb33 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -953,9 +953,10 @@ Transport configurations should be checked for this. An example avoidance:
TLS Session Resumption
----------------------
-TLS Session Resumption for TLS 1.2 and TLS1.3 connections can be used (defined
+TLS Session Resumption for TLS 1.2 and TLS 1.3 connections can be used (defined
in RFC 5077 for 1.2). The support for this can be included by building with
-EXPERIMENTAL_TLS_RESUME defined.
+EXPERIMENTAL_TLS_RESUME defined. This requires GnuTLS 3.6.3 or OpenSSL 1.1.1
+(or later).
Session resumption (this is the "stateless" variant) involves the server sending
a "session ticket" to the client on one connection, which can be stored by the
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 03002c7..085f6b8 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -89,6 +89,12 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
# endif
#endif
+#ifdef EXPERIMENTAL_TLS_RESUME
+# if GNUTLS_VERSION_NUMBER < 0x030603
+# error GNUTLS version too early for session-resumption
+# endif
+#endif
+
#ifndef DISABLE_OCSP
# include <gnutls/ocsp.h>
#endif
@@ -2475,7 +2481,6 @@ but this flag is not set until the second. TLS 1.3 it's the other way about.
Keep both calls as the session data cannot be extracted before handshake
completes. */
-#ifdef GNUTLS_SFLAGS_SESSION_TICKET
if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
{
gnutls_datum_t tkt;
@@ -2510,7 +2515,6 @@ if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
else DEBUG(D_tls)
debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
}
-#endif
}
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index e47df7c..824212d 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -108,6 +108,12 @@ change this guard and punt the issue for a while longer. */
# define DISABLE_OCSP
#endif
+#ifdef EXPERIMENTAL_TLS_RESUME
+# if OPENSSL_VERSION_NUMBER < 0x0101010L
+# error OpenSSL version too old for session-resumption
+# endif
+#endif
+
#ifdef EXIM_HAVE_OPENSSL_CHECKHOST
# include <openssl/x509v3.h>
#endif
