Gitweb:
https://git.exim.org/exim.git/commitdiff/90315b85f88beec520dad795442d5ba806093ab4
Commit: 90315b85f88beec520dad795442d5ba806093ab4
Parent: 927a335fbd3d51e29a216efd034b61f0a169f6aa
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Jun 19 20:12:09 2021 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Sat Jun 19 20:12:09 2021 +0100
OpenSSL: on library versions too old to support session tickets
client-side limit the valid lifetime of resumable sessions
---
src/src/tls-openssl.c | 44 +++++++++++++++++++++++++-------------------
1 file changed, 25 insertions(+), 19 deletions(-)
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 4d6eeaa..cc72b2e 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -3408,29 +3408,35 @@ if (tlsp->host_resumable)
debug_printf("decoding session: %s\n", ssl_errstring);
}
}
-#ifdef EXIM_HAVE_SESSION_TICKET
- else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
- < time(NULL))
+ else
{
- DEBUG(D_tls) debug_printf("session expired\n");
- dbfn_delete(dbm_file, key);
- }
+ unsigned long lifetime =
+#ifdef EXIM_HAVE_SESSION_TICKET
+ SSL_SESSION_get_ticket_lifetime_hint(ss);
+#else /* Use, fairly arbitrilarily, what we as server would */
+ f.running_in_test_harness ? 6 : ssl_session_timeout;
#endif
- else if (!SSL_set_session(ssl, ss))
- {
- DEBUG(D_tls)
+ if (lifetime + dt->time_stamp < time(NULL))
{
- ERR_error_string_n(ERR_get_error(),
- ssl_errstring, sizeof(ssl_errstring));
- debug_printf("applying session to ssl: %s\n", ssl_errstring);
+ DEBUG(D_tls) debug_printf("session expired\n");
+ dbfn_delete(dbm_file, key);
+ }
+ else if (!SSL_set_session(ssl, ss))
+ {
+ DEBUG(D_tls)
+ {
+ ERR_error_string_n(ERR_get_error(),
+ ssl_errstring, sizeof(ssl_errstring));
+ debug_printf("applying session to ssl: %s\n", ssl_errstring);
+ }
+ }
+ else
+ {
+ DEBUG(D_tls) debug_printf("good session\n");
+ tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
+ tlsp->verify_override = dt->verify_override;
+ tlsp->ocsp = dt->ocsp;
}
- }
- else
- {
- DEBUG(D_tls) debug_printf("good session\n");
- tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
- tlsp->verify_override = dt->verify_override;
- tlsp->ocsp = dt->ocsp;
}
}
else