[exim-cvs] OpenSSL: on library versions too old to support s…

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Exim Git Commits Mailing List
Datum:  
To: exim-cvs
Betreff: [exim-cvs] OpenSSL: on library versions too old to support session tickets
Gitweb: https://git.exim.org/exim.git/commitdiff/90315b85f88beec520dad795442d5ba806093ab4
Commit:     90315b85f88beec520dad795442d5ba806093ab4
Parent:     927a335fbd3d51e29a216efd034b61f0a169f6aa
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Jun 19 20:12:09 2021 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sat Jun 19 20:12:09 2021 +0100


    OpenSSL: on library versions too old to support session tickets
    client-side limit the valid lifetime of resumable sessions
---
 src/src/tls-openssl.c | 44 +++++++++++++++++++++++++-------------------
 1 file changed, 25 insertions(+), 19 deletions(-)


diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 4d6eeaa..cc72b2e 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -3408,29 +3408,35 @@ if (tlsp->host_resumable)
       debug_printf("decoding session: %s\n", ssl_errstring);
       }
     }
-#ifdef EXIM_HAVE_SESSION_TICKET
-      else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
-           < time(NULL))
+      else
     {
-    DEBUG(D_tls) debug_printf("session expired\n");
-    dbfn_delete(dbm_file, key);
-    }
+    unsigned long lifetime =
+#ifdef EXIM_HAVE_SESSION_TICKET
+      SSL_SESSION_get_ticket_lifetime_hint(ss);
+#else            /* Use, fairly arbitrilarily, what we as server would */
+      f.running_in_test_harness ? 6 : ssl_session_timeout;
 #endif
-      else if (!SSL_set_session(ssl, ss))
-    {
-    DEBUG(D_tls)
+    if (lifetime + dt->time_stamp < time(NULL))
       {
-      ERR_error_string_n(ERR_get_error(),
-        ssl_errstring, sizeof(ssl_errstring));
-      debug_printf("applying session to ssl: %s\n", ssl_errstring);
+      DEBUG(D_tls) debug_printf("session expired\n");
+      dbfn_delete(dbm_file, key);
+      }
+    else if (!SSL_set_session(ssl, ss))
+      {
+      DEBUG(D_tls)
+        {
+        ERR_error_string_n(ERR_get_error(),
+          ssl_errstring, sizeof(ssl_errstring));
+        debug_printf("applying session to ssl: %s\n", ssl_errstring);
+        }
+      }
+    else
+      {
+      DEBUG(D_tls) debug_printf("good session\n");
+      tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
+      tlsp->verify_override = dt->verify_override;
+      tlsp->ocsp = dt->ocsp;
       }
-    }
-      else
-    {
-    DEBUG(D_tls) debug_printf("good session\n");
-    tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
-    tlsp->verify_override = dt->verify_override;
-    tlsp->ocsp = dt->ocsp;
     }
       }
     else