static exim_openssl_option exim_openssl_options[] = {
/* KEEP SORTED ALPHABETICALLY! */
#ifdef SSL_OP_ALL
- { US"all", SSL_OP_ALL },
+ { US"all", (long) SSL_OP_ALL },
#endif
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
{ US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
# ifdef EXPERIMENTAL_TLS_RESUME
builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
# endif
+# ifdef SSL_OP_NO_TLSv1_3
+builtin_macro_create(US"_HAVE_TLS1_3");
+# endif
}
#else
if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
return 0; /* key couldn't be created */
memcpy(key_name, key->name, 16);
- DEBUG(D_tls) debug_printf("STEK expire %ld\n", key->expire - time(NULL));
+ DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
/*XXX will want these dependent on the ssl session strength */
HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
DEBUG(D_tls)
{
debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
- if (key) debug_printf("STEK expire %ld\n", key->expire - now);
+ if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
}
return 0;
}
key->hmac_hash, NULL);
EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
- DEBUG(D_tls) debug_printf("ticket usable, STEK expire %ld\n", key->expire - now);
+ DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
/* The ticket lifetime and renewal are the same as the STEK lifetime and
renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
}
supply_response:
- cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
+ /*XXX stack? (these tag points are for multiple leaf-cert support for ocsp */
+ cbinfo->u_ocsp.server.response = resp;
return;
bad:
/* Make the extension value available for expansion */
store_pool = POOL_PERM;
-tls_in.sni = string_copy(US servername);
+tls_in.sni = string_copy_taint(US servername, TRUE);
store_pool = old_pool;
if (!reexpand_tls_files_for_sni)