Gitweb:
https://git.exim.org/exim.git/commitdiff/012dd02e8436a8451afc4a8f69e128e257566c80
Commit: 012dd02e8436a8451afc4a8f69e128e257566c80
Parent: 5b2fd993eadb7b476e5ef14028c7db09fda6c3ae
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Sep 29 15:20:31 2019 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sun Sep 29 15:26:16 2019 +0100
OpenSSL: fix build on earlier library versions
---
doc/doc-docbook/spec.xfpt | 2 +-
src/src/tls-openssl.c | 9 +++++++++
test/log/5602 | 16 ++++++++++++++++
test/scripts/5600-OCSP-OpenSSL/5602 | 1 +
4 files changed, 27 insertions(+), 1 deletion(-)
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 9833f19..273348a 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -17833,7 +17833,7 @@ Certificate Authority.
Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
.new
-For OpenSSL, and
+For OpenSSL 1.1.0 or later, and
.wen
for GnuTLS 3.5.6 or later the expanded value of this option can be a list
of files, to match a list given for the &%tls_certificate%& option.
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 057a0e0..d165eb2 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -74,6 +74,7 @@ change this guard and punt the issue for a while longer. */
# define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
# define EXIM_HAVE_SESSION_TICKET
# define EXIM_HAVE_OPESSL_TRACE
+# define EXIM_HAVE_OPESSL_GET0_SERIAL
# else
# define EXIM_NEED_OPENSSL_INIT
# endif
@@ -1714,6 +1715,7 @@ tls_in.ocsp = OCSP_NOT_RESP;
if (!olist)
return SSL_TLSEXT_ERR_NOACK;
+#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
{
const X509 * cert_sent = SSL_get_certificate(s);
const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
@@ -1761,6 +1763,13 @@ if (!olist)
return SSL_TLSEXT_ERR_NOACK;
}
}
+#else
+if (olist->next)
+ {
+ DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+#endif
/*XXX could we do the i2d earlier, rather than during the callback? */
response_der = NULL;
diff --git a/test/log/5602 b/test/log/5602
new file mode 100644
index 0000000..95a283e
--- /dev/null
+++ b/test/log/5602
@@ -0,0 +1,16 @@
+1999-03-02 09:44:33 1: Server sends good staple on request, to client requiring RSA auth
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@??? R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 2: Server sends good staple on request, to client preferring ECDSA auth
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => ecdsa.auth@??? R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example_ec.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@???
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@???
diff --git a/test/scripts/5600-OCSP-OpenSSL/5602 b/test/scripts/5600-OCSP-OpenSSL/5602
index 07fda29..02c27ce 100644
--- a/test/scripts/5600-OCSP-OpenSSL/5602
+++ b/test/scripts/5600-OCSP-OpenSSL/5602
@@ -1,4 +1,5 @@
# OCSP stapling, server, multiple leaf-certs
+# This will fail on OpenSSL versions before 1.1.0
#
#
#
