static BOOL ssl_xfer_error = FALSE;
#endif
-uschar *tls_channelbinding_b64 = NULL;
-
/*************************************************
* Expand string; give error on failure *
}
+/* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment
+and writes a file by that name. Our OpenSSL code does the same, using keying
+info from the library API.
+The GnuTLS support only works if exim is run by root, not taking advantage of
+the setuid bit.
+You can use either the external environment (modulo the keep_environment config)
+or the add_environment config option for SSLKEYLOGFILE; the latter takes
+precedence.
+
+If the path is absolute, require it starts with the spooldir; otherwise delete
+the env variable. If relative, prefix the spooldir.
+*/
+void
+tls_clean_env(void)
+{
+uschar * path = US getenv("SSLKEYLOGFILE");
+if (path)
+ if (!*path)
+ unsetenv("SSLKEYLOGFILE");
+ else if (*path != '/')
+ {
+ DEBUG(D_tls)
+ debug_printf("prepending spooldir to env SSLKEYLOGFILE\n");
+ setenv("SSLKEYLOGFILE", CCS string_sprintf("%s/%s", spool_directory, path), 1);
+ }
+ else if (Ustrncmp(path, spool_directory, Ustrlen(spool_directory)) != 0)
+ {
+ DEBUG(D_tls)
+ debug_printf("removing env SSLKEYLOGFILE=%s: not under spooldir\n", path);
+ unsetenv("SSLKEYLOGFILE");
+ }
+}
/*************************************************
* Drop privs for checking TLS config *
oldsignal = signal(SIGCHLD, SIG_DFL);
fflush(NULL);
-if ((pid = fork()) < 0)
+if ((pid = exim_fork(US"cipher validate")) < 0)
log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for TLS check");
if (pid == 0)
log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
"tls_require_ciphers invalid: %s", errmsg);
fflush(NULL);
- exim_underbar_exit(0);
+ exim_underbar_exit(0, NULL);
}
do {