# define GNUTLS_AUTO_GLOBAL_INIT
# define GNUTLS_AUTO_PKCS11_MANUAL
#endif
+#if (GNUTLS_VERSION_NUMBER >= 0x030404) \
+ || (GNUTLS_VERSION_NUMBER >= 0x030311) && (GNUTLS_VERSION_NUMBER & 0xffff00 == 0x030300)
+# ifndef DISABLE_OCSP
+# define EXIM_HAVE_OCSP
+# endif
+#endif
#if GNUTLS_VERSION_NUMBER >= 0x030500
# define SUPPORT_GNUTLS_KEYLOG
#endif
# ifdef EXIM_HAVE_TLS1_3
builtin_macro_create(US"_HAVE_TLS1_3");
# endif
+# ifdef EXIM_HAVE_OCSP
+builtin_macro_create(US"_HAVE_TLS_OCSP");
+# endif
+# ifdef SUPPORT_SRV_OCSP_STACK
+builtin_macro_create(US"_HAVE_TLS_OCSP_LIST");
+# endif
}
#else
#ifdef SUPPORT_GNUTLS_SESS_DESC
debug_printf("%s\n", gnutls_session_get_desc(state->session));
#endif
-#ifdef SUPPORT_GNUTLS_KEYLOG
+#ifdef SUPPORT_GNUTLS_KEYLOG
# ifdef EXIM_HAVE_TLS1_3
if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
-#else
+# else
if (TRUE)
-#endif
+# endif
{
gnutls_datum_t c, s;
gstring * gc, * gs;
- /* we only want the client random and the master secret */
+ /* For TLS1.2 we only want the client random and the master secret */
gnutls_session_get_random(state->session, &c, &s);
gnutls_session_get_master_secret(state->session, &s);
gc = ddump(&c);
" add SSLKEYLOGFILE to keep_environment in the exim config\n"
" run exim as root\n"
" if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
- " (works for TLS1.2 also, and saves cut-paste into file)\n");
+ " (works for TLS1.2 also, and saves cut-paste into file)"
+ " Trying to use add_environment for this will not work\n");
#endif
}
return FAIL;
}
+#ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
+if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
+ tls_in.ext_master_secret = TRUE;
+#endif
+
#ifdef EXPERIMENTAL_TLS_RESUME
tls_server_resume_posthandshake(state);
#endif
return FALSE;
}
+#ifdef GNUTLS_SFLAGS_EXT_MASTER_SECRET
+if (gnutls_session_get_flags(state->session) & GNUTLS_SFLAGS_EXT_MASTER_SECRET)
+ tlsp->ext_master_secret = TRUE;
+#endif
+
#ifndef DISABLE_OCSP
if (request_ocsp)
{
len number of bytes
more more data expected soon
+Calling with len zero and more unset will flush buffered writes. The buff
+argument can be null for that case.
+
Returns: the number of bytes after a successful write,
-1 after a failed write
*/