X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/4e3a01c2607937d5fbc477b6e14495adc2281941..1072af868662ea8fec30454c2d62afdee24f2c8e:/src/src/tls-openssl.c

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 22750d273..043755c84 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1477,12 +1477,12 @@ return;
 
 
 static void
-ocsp_free_response_list(exim_openssl_state_st * cbinfo)
+ocsp_free_response_list(exim_openssl_state_st * state)
 {
-for (ocsp_resplist * olist = cbinfo->u_ocsp.server.olist; olist;
+for (ocsp_resplist * olist = state->u_ocsp.server.olist; olist;
      olist = olist->next)
   OCSP_RESPONSE_free(olist->resp);
-cbinfo->u_ocsp.server.olist = NULL;
+state->u_ocsp.server.olist = NULL;
 }
 #endif	/*!DISABLE_OCSP*/
 
@@ -1574,6 +1574,11 @@ else
       if (olist && !*olist)
 	olist = NULL;
 
+      /* If doing a re-expand after SNI, avoid reloading the OCSP
+      responses when the list of filenames has not changed.
+      The creds-invali on content change wipes file_expanded, so that
+      always reloads here. */
+
       if (  state->u_ocsp.server.file_expanded && olist
 	 && (Ustrcmp(olist, state->u_ocsp.server.file_expanded) == 0))
 	{
@@ -1918,6 +1923,9 @@ tls_server_creds_invalidate(void)
 {
 SSL_CTX_free(state_server.lib_state.lib_ctx);
 state_server.lib_state = null_tls_preload;
+#ifndef DISABLE_OCSP
+state_server.u_ocsp.server.file_expanded = NULL;
+#endif
 }
 
 
@@ -2763,7 +2771,7 @@ if (state->lib_state.conn_certs)
 else
   {
 #ifndef DISABLE_OCSP
-  if (!host)
+  if (!host)					/* server */
     {
     state->u_ocsp.server.file = ocsp_file;
     state->u_ocsp.server.file_expanded = NULL;
@@ -3191,7 +3199,7 @@ uschar c, * s;
 size_t len;
 
 #ifdef EXIM_HAVE_EXPORT_CHNL_BNGNG
-if (SSL_version(ssl) >= TLS1_3_VERSION)
+if (SSL_version(ssl) > TLS1_2_VERSION)
   {
   /* It's not documented by OpenSSL how big the output buffer must be.
   The OpenSSL testcases use 80 bytes but don't say why. The GnuTLS impl only