X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d3e58fcb87faf7131a2712fcfaef200ffd191f05..1613fd68b5931757016c3c25fdc3b0f37827e7f1:/src/src/tls-openssl.c diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 5e3edbb40..db48c9451 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1000,7 +1000,7 @@ if (!EVP_PKEY_assign_RSA(pkey, rsa)) goto err; X509_set_version(x509, 2); /* N+1 - version 3 */ -ASN1_INTEGER_set(X509_get_serialNumber(x509), 0); +ASN1_INTEGER_set(X509_get_serialNumber(x509), 1); X509_gmtime_adj(X509_get_notBefore(x509), 0); X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */ X509_set_pubkey(x509, pkey); @@ -1601,9 +1601,15 @@ if (init_options) else DEBUG(D_tls) debug_printf("no SSL CTX options to set\n"); -/* Disable session cache unconditionally */ - +/* We'd like to disable session cache unconditionally, but foolish Outlook +Express clients then give up the first TLS connection and make a second one +(which works). Only when there is an IMAP service on the same machine. +Presumably OE is trying to use the cache for A on B. Leave it enabled for +now, until we work out a decent way of presenting control to the config. It +will never be used because we use a new context every time. */ +#ifdef notdef (void) SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); +#endif /* Initialize with DH parameters if supplied */ /* Initialize ECDH temp key parameter selection */ @@ -1746,6 +1752,7 @@ else * Set up for verifying certificates * *************************************************/ +#ifndef DISABLE_OCSP /* Load certs from file, return TRUE on success */ static BOOL @@ -1763,6 +1770,7 @@ while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL))) BIO_free(bp); return TRUE; } +#endif @@ -2499,10 +2507,12 @@ if (error == SSL_ERROR_ZERO_RETURN) if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN) SSL_shutdown(server_ssl); +#ifndef DISABLE_OCSP sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free); + server_static_cbinfo->verify_stack = NULL; +#endif SSL_free(server_ssl); SSL_CTX_free(server_ctx); - server_static_cbinfo->verify_stack = NULL; server_ctx = NULL; server_ssl = NULL; tls_in.active = -1; @@ -2776,11 +2786,13 @@ if (shutdown) } } +#ifndef DISABLE_OCSP if (is_server) { sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free); server_static_cbinfo->verify_stack = NULL; } +#endif SSL_CTX_free(*ctxp); SSL_free(*sslp);