{
smtp_transport_options_block *ob = SOB tblock->options_block;
-errmsg = errmsg; /* Keep picky compilers happy */
-uid = uid;
-gid = gid;
-
/* Pass back options if required. This interface is getting very messy. */
if (tf)
{
case OK: sx->conn_args.dane = TRUE;
ob->tls_tempfail_tryclear = FALSE;
+ ob->tls_sni = sx->addrlist->domain;
break;
case FAIL_FORCED: break;
default: set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER,
/* TLS negotiation failed; give an error. From outside, this function may
be called again to try in clear on a new connection, if the options permit
it for this host. */
-#ifdef USE_GNUTLS
- GNUTLS_CONN_FAILED:
-#endif
+ TLS_CONN_FAILED:
DEBUG(D_tls) debug_printf("TLS session fail: %s\n", tls_errstr);
# ifdef SUPPORT_DANE
goto TLS_FAILED;
}
- /* TLS session is set up */
+ /* TLS session is set up. Check the inblock fill level. If there is
+ content then as we have not yet done a tls read it must have arrived before
+ the TLS handshake, in-clear. That violates the sync requirement of the
+ STARTTLS RFC, so fail. */
+
+ if (sx->inblock.ptr != sx->inblock.ptrend)
+ {
+ DEBUG(D_tls)
+ {
+ int i = sx->inblock.ptrend - sx->inblock.ptr;
+ debug_printf("unused data in input buffer after ack for STARTTLS:\n"
+ "'%.*s'%s\n",
+ i > 100 ? 100 : i, sx->inblock.ptr, i > 100 ? "..." : "");
+ }
+ tls_errstr = US"synch error before connect";
+ goto TLS_CONN_FAILED;
+ }
smtp_peer_options_wrap = smtp_peer_options;
for (address_item * addr = sx->addrlist; addr; addr = addr->next)
Can it do that, with all the flexibility we need? */
tls_errstr = US"error on first read";
- goto GNUTLS_CONN_FAILED;
+ goto TLS_CONN_FAILED;
}
#else
goto RESPONSE_FAILED;
uschar new_message_id[MESSAGE_ID_LENGTH + 1];
smtp_context * sx = store_get(sizeof(*sx), TRUE); /* tainted, for the data buffers */
-suppress_tls = suppress_tls; /* stop compiler warning when no TLS support */
*message_defer = FALSE;
memset(sx, 0, sizeof(*sx));
if (sx->completed_addr && sx->ok && sx->send_quit)
{
- BOOL more;
smtp_compare_t t_compare;
t_compare.tblock = tblock;
&&
#endif
transport_check_waiting(tblock->name, host->name,
- tblock->connection_max_messages, new_message_id, &more,
+ tblock->connection_max_messages, new_message_id,
(oicf)smtp_are_same_identities, (void*)&t_compare)
) )
{
if (tls_out.active.sock >= 0)
if ( f.continue_more
|| verify_check_given_host(CUSS &ob->hosts_noproxy_tls, host) == OK)
+
+/*XXX*/
+/* || sx->conn_args.dane && Ustrcmp( , ob->tls_sni) != 0 */
+/*XXX*/
{
/* Before passing the socket on, or returning to caller with it still
open, we must shut down TLS. Not all MTAs allow for the continuation