Gitweb:
https://git.exim.org/exim.git/commitdiff/4f1d23a1aa7aafc5a47988d80dde87c67ec8e1fc
Commit: 4f1d23a1aa7aafc5a47988d80dde87c67ec8e1fc
Parent: 4202f1215e6e1cbcb66b82e514efcc21682e8ae1
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Mon May 6 12:28:14 2019 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Tue May 7 22:45:51 2019 +0100
OpenSSL: discard expired resumption session in client
---
doc/doc-txt/experimental-spec.txt | 3 ++-
src/src/tls-openssl.c | 6 ++++++
test/log/5891 | 4 ++--
3 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index aa7046e..f304cf4 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1004,7 +1004,8 @@ Issues:
will be true, when verify failed but tls_try_verify_hosts allowed the
connection (under OpenSSL)
$tls_{in,out}_cipher will have values different to the original (under GnuTLS)
- $tls_{in,out}_ocsp will be "not requested" or "no response"
+ $tls_{in,out}_ocsp will be "not requested" or "no response", and
+ hosts_require_ocsp will fail
--------------------------------------------------------------
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index ee52b7c..df88435 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2731,6 +2731,12 @@ if (tlsp->host_resumable)
debug_printf("decoding session: %s\n", ssl_errstring);
}
}
+ else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
+ < time(NULL))
+ {
+ DEBUG(D_tls) debug_printf("session expired\n");
+ dbfn_delete(dbm_file, key);
+ }
else if (!SSL_set_session(ssl, ss))
{
DEBUG(D_tls)
diff --git a/test/log/5891 b/test/log/5891
index 6edba3c..56c00dd 100644
--- a/test/log/5891
+++ b/test/log/5891
@@ -53,7 +53,7 @@
1999-03-02 09:44:33 10HmbE-0005vi-00 => postrenewal@??? R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbF-0005vi-00"
1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss for timeout@???
-1999-03-02 09:44:33 10HmbG-0005vi-00 tls_out_resumption client offered session, server only provided new ticket
+1999-03-02 09:44:33 10HmbG-0005vi-00 tls_out_resumption client requested new ticket, server provided
1999-03-02 09:44:33 10HmbG-0005vi-00 our cert subject
1999-03-02 09:44:33 10HmbG-0005vi-00 peer cert subject CN=Phil Pennock,OU=Test Suite,O=The Exim Maintainers,C=UK
1999-03-02 09:44:33 10HmbG-0005vi-00 peer cert verified 1
@@ -209,7 +209,7 @@
1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbE-0005vi-00@??? for postrenewal@???
1999-03-02 09:44:33 10HmbF-0005vi-00 => :blackhole: <postrenewal@???> R=server
1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
-1999-03-02 09:44:33 tls_in_resumption client offered session, server only provided new ticket
+1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided
1999-03-02 09:44:33 our cert subject CN=Phil Pennock,OU=Test Suite,O=The Exim Maintainers,C=UK
1999-03-02 09:44:33 peer cert subject
1999-03-02 09:44:33 peer cert verified 0