X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d3e58fcb87faf7131a2712fcfaef200ffd191f05..0e8aed8aab2d2b68d1f6e6b0b2985de2bd6d2a73:/src/src/tls-openssl.c diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 5e3edbb40..e69b64ce0 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1601,9 +1601,15 @@ if (init_options) else DEBUG(D_tls) debug_printf("no SSL CTX options to set\n"); -/* Disable session cache unconditionally */ - +/* We'd like to disable session cache unconditionally, but foolish Outlook +Express clients then give up the first TLS connection and make a second one +(which works). Only when there is an IMAP service on the same machine. +Presumably OE is trying to use the cache for A on B. Leave it enabled for +now, until we work out a decent way of presenting control to the config. It +will never be used because we use a new context every time. */ +#ifdef notdef (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); +#endif /* Initialize with DH parameters if supplied */ /* Initialize ECDH temp key parameter selection */ @@ -1746,6 +1752,7 @@ else * Set up for verifying certificates * *************************************************/ +#ifndef DISABLE_OCSP /* Load certs from file, return TRUE on success */ static BOOL @@ -1763,6 +1770,7 @@ while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL))) BIO_free(bp); return TRUE; } +#endif @@ -2499,10 +2507,12 @@ if (error == SSL_ERROR_ZERO_RETURN) if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN) SSL_shutdown(server_ssl); +#ifndef DISABLE_OCSP sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free); + server_static_cbinfo->verify_stack = NULL; +#endif SSL_free(server_ssl); SSL_CTX_free(server_ctx); - server_static_cbinfo->verify_stack = NULL; server_ctx = NULL; server_ssl = NULL; tls_in.active = -1; @@ -2776,11 +2786,13 @@ if (shutdown) } } +#ifndef DISABLE_OCSP if (is_server) { sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free); server_static_cbinfo->verify_stack = NULL; } +#endif SSL_CTX_free(*ctxp); SSL_free(*sslp);