the connected host if setting up a client
errstr pointer to returned error string
-Returns: OK/DEFER/FAIL
+Returns: DEFER/FAIL
*/
static int
}
+/* Returns: DEFER/FAIL */
static int
tls_error_gnu(exim_gnutls_state_st * state, const uschar *prefix, int err,
uschar ** errstr)
/* The format of "data" here doesn't seem to be documented, but appears
to be a 2-byte field with a (redundant, given the "size" arg) total length
then a sequence of one-byte size then string (not nul-term) names. The
- latter is as described in OpenSSL documentation. */
+ latter is as described in OpenSSL documentation.
+ Note that we do not get called for a match_fail, making it hard to log
+ a single bad ALPN being offered (the common case). */
+ {
+ gstring * g = NULL;
DEBUG(D_tls) debug_printf("Seen ALPN extension from client (s=%u):", size);
for (const uschar * s = data+2; s-data < size-1; s += *s + 1)
{
server_seen_alpn++;
+ g = string_append_listele_n(g, ':', s+1, *s);
DEBUG(D_tls) debug_printf(" '%.*s'", (int)*s, s+1);
}
DEBUG(D_tls) debug_printf("\n");
if (server_seen_alpn > 1)
{
+ log_write(0, LOG_MAIN, "TLS ALPN (%s) rejected", string_from_gstring(g));
DEBUG(D_tls) debug_printf("TLS: too many ALPNs presented in handshake\n");
return GNUTLS_E_NO_APPLICATION_PROTOCOL;
}
break;
+ }
#endif
}
return 0;
debug_printf("TLS: basic cred init, %s\n", server ? "server" : "client");
}
+/* Returns OK/DEFER/FAIL */
static int
creds_load_server_certs(exim_gnutls_state_st * state, const uschar * cert,
const uschar * pkey, const uschar * ocsp, uschar ** errstr)
if (!(kfile = string_nextinlist(&klist, &ksep, NULL, 0)))
return tls_error(US"cert/key setup: out of keys", NULL, NULL, errstr);
- else if ((rc = tls_add_certfile(state, NULL, cfile, kfile, errstr)) != OK)
+ else if ((rc = tls_add_certfile(state, NULL, cfile, kfile, errstr)) > OK)
return rc;
else
{
}
#endif /* DISABLE_OCSP */
}
-return 0;
+return OK;
}
static int
int rc = tls_add_certfile(state, host, cert, pkey, errstr);
if (rc > 0) return rc;
DEBUG(D_tls) debug_printf("TLS: cert/key registered\n");
-return 0;
+return OK;
}
static int
for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
- tlsp->ver = string_copyn(g->s, g->ptr);
+ tlsp->ver = string_copy_from_gstring(g);
for (uschar * p = US tlsp->ver; *p; p++)
if (*p == '-') { *p = '\0'; break; } /* TLS1.0-PKIX -> TLS1.0 */