git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
OpenSSL: when supported by the library version, disable renegotiation for pre-TLS1.3
[exim.git]
/
src
/
src
/
tls-openssl.c
diff --git
a/src/src/tls-openssl.c
b/src/src/tls-openssl.c
index e45ebd3be736b2535bec063acd79822c54a0b03b..db154448fcb09e0d04ba1068a3209db64d38ff4b 100644
(file)
--- a/
src/src/tls-openssl.c
+++ b/
src/src/tls-openssl.c
@@
-151,6
+151,11
@@
This list is current as of:
==> 1.0.1b <==
Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
==> 1.0.1b <==
Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
+Plus SSL_OP_NO_RENEGOTIATION for 1.1.1
+
+XXX could we autobuild this list, as with predefined-macros?
+Seems just parsing ssl.h for SSL_OP_.* would be enough.
+Also allow a numeric literal?
*/
static exim_openssl_option exim_openssl_options[] = {
/* KEEP SORTED ALPHABETICALLY! */
*/
static exim_openssl_option exim_openssl_options[] = {
/* KEEP SORTED ALPHABETICALLY! */
@@
-190,6
+195,9
@@
static exim_openssl_option exim_openssl_options[] = {
#ifdef SSL_OP_NO_COMPRESSION
{ US"no_compression", SSL_OP_NO_COMPRESSION },
#endif
#ifdef SSL_OP_NO_COMPRESSION
{ US"no_compression", SSL_OP_NO_COMPRESSION },
#endif
+#ifdef SSL_OP_NO_RENEGOTIATION
+ { US"no_renegotiation", SSL_OP_NO_RENEGOTIATION },
+#endif
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
{ US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
#endif
#ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
{ US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION },
#endif
@@
-3987,6
+3995,9
@@
result |= SSL_OP_NO_SSLv3;
#ifdef SSL_OP_SINGLE_DH_USE
result |= SSL_OP_SINGLE_DH_USE;
#endif
#ifdef SSL_OP_SINGLE_DH_USE
result |= SSL_OP_SINGLE_DH_USE;
#endif
+#ifdef SSL_OP_SINGLE_DH_USE
+result |= SSL_OP_NO_RENEGOTIATION;
+#endif
if (!option_spec)
{
if (!option_spec)
{
@@
-4019,7
+4030,7
@@
for (uschar * s = exp; *s; /**/)
DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
return FALSE;
}
DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s);
return FALSE;
}
- DEBUG(D_tls) debug_printf("openssl option, %s %
8lx: %
lx (%s)\n",
+ DEBUG(D_tls) debug_printf("openssl option, %s %
08lx: %08
lx (%s)\n",
adding ? "adding to " : "removing from", result, item, s);
if (adding)
result |= item;
adding ? "adding to " : "removing from", result, item, s);
if (adding)
result |= item;