-/* $Cambridge: exim/src/src/tls-openssl.c,v 1.27 2010/06/07 00:12:42 pdp Exp $ */
-
/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
construct_cipher_name(SSL *ssl)
{
static uschar cipherbuf[256];
-SSL_CIPHER *c;
+/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't
+yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
+the accessor functions use const in the prototype. */
+const SSL_CIPHER *c;
uschar *ver;
int bits;
ver = US"UNKNOWN";
}
-c = SSL_get_current_cipher(ssl);
+c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
SSL_CIPHER_get_bits(c, &bits);
string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver,
tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL);
if (ERR_get_error() == 0)
log_write(0, LOG_MAIN,
- " => client disconnected cleanly (rejected our certificate?)\n");
+ "TLS client disconnected cleanly (rejected our certificate?)");
return FAIL;
}
void
tls_version_report(FILE *f)
{
-fprintf(f, "OpenSSL compile-time version: %s\n", OPENSSL_VERSION_TEXT);
-fprintf(f, "OpenSSL runtime version: %s\n", SSLeay_version(SSLEAY_VERSION));
+fprintf(f, "Library version: OpenSSL: Compile: %s\n"
+ " Runtime: %s\n",
+ OPENSSL_VERSION_TEXT,
+ SSLeay_version(SSLEAY_VERSION));
}
to apply.
This list is current as of:
- ==> 0.9.8n <== */
+ ==> 1.0.0c <== */
static struct exim_openssl_option exim_openssl_options[] = {
/* KEEP SORTED ALPHABETICALLY! */
#ifdef SSL_OP_ALL
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
{ US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
#endif
+#ifdef SSL_OP_NO_SSLv2
+ { US"no_sslv2", SSL_OP_NO_SSLv2 },
+#endif
+#ifdef SSL_OP_NO_SSLv3
+ { US"no_sslv3", SSL_OP_NO_SSLv3 },
+#endif
+#ifdef SSL_OP_NO_TICKET
+ { US"no_ticket", SSL_OP_NO_TICKET },
+#endif
+#ifdef SSL_OP_NO_TLSv1
+ { US"no_tlsv1", SSL_OP_NO_TLSv1 },
+#endif
#ifdef SSL_OP_SINGLE_DH_USE
{ US"single_dh_use", SSL_OP_SINGLE_DH_USE },
#endif
uschar keep_c;
BOOL adding, item_parsed;
+result = 0L;
/* We grandfather in as default the one option which we used to set always. */
#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
-result = SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
-#else
-result = 0L;
+result |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
if (option_spec == NULL)
if (*s != '+' && *s != '-')
{
DEBUG(D_tls) debug_printf("malformed openssl option setting: "
- "+ or - expected but found \"%s\"", s);
+ "+ or - expected but found \"%s\"\n", s);
return FALSE;
}
adding = *s++ == '+';
item_parsed = tls_openssl_one_option_parse(s, &item);
if (!item_parsed)
{
- DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"", s);
+ DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
return FALSE;
}
DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",