OpenSSL: fix build on earlier library versions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 9833f19e42a3b49f3c2b291e2031bc8630e46a92..273348ac8dfeb033c563f45f05b283fea911ef3e 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -17833,7 +17833,7 @@ Certificate Authority.
 Usable for GnuTLS 3.4.4 or 3.3.17 or OpenSSL 1.1.0 (or later).
 
 .new
-For OpenSSL, and
+For OpenSSL 1.1.0 or later, and
 .wen
 for GnuTLS 3.5.6 or later the expanded value of this option can be a list
 of files, to match a list given for the &%tls_certificate%& option.

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 057a0e006cdb3ac1cc8a0172d03b7ad93109e0e7..d165eb2c02908bfd28b92a68683f29c6ddad4823 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -74,6 +74,7 @@ change this guard and punt the issue for a while longer. */
 #  define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
 #  define EXIM_HAVE_SESSION_TICKET
 #  define EXIM_HAVE_OPESSL_TRACE
+#  define EXIM_HAVE_OPESSL_GET0_SERIAL
 # else
 #  define EXIM_NEED_OPENSSL_INIT
 # endif
@@ -1714,6 +1715,7 @@ tls_in.ocsp = OCSP_NOT_RESP;
 if (!olist)
   return SSL_TLSEXT_ERR_NOACK;
 
+#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
  {
   const X509 * cert_sent = SSL_get_certificate(s);
   const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
@@ -1761,6 +1763,13 @@ if (!olist)
     return SSL_TLSEXT_ERR_NOACK;
     }
  }
+#else
+if (olist->next)
+  {
+  DEBUG(D_tls) debug_printf("OpenSSL version too early to support multi-leaf OCSP\n");
+  return SSL_TLSEXT_ERR_NOACK;
+  }
+#endif
 
 /*XXX could we do the i2d earlier, rather than during the callback? */
 response_der = NULL;

diff --git a/test/log/5602 b/test/log/5602
new file mode 100644 (file)
index 0000000..95a283e
--- /dev/null
+++ b/test/log/5602
@@ -0,0 +1,16 @@
+1999-03-02 09:44:33 1: Server sends good staple on request, to client requiring RSA auth
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaX-0005vi-00 => rsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 2: Server sends good staple on request, to client preferring ECDSA auth
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => ecdsa.auth@test.ex R=client T=remote_delivery H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=yes DN="/CN=server1.example_ec.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 acl_mail: ocsp in status: 4 (verified)
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (server1.example.com) [127.0.0.1] P=esmtps X=TLS1.x:ke-ECDSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com

diff --git a/test/scripts/5600-OCSP-OpenSSL/5602 b/test/scripts/5600-OCSP-OpenSSL/5602
index 07fda294c47f91c049ab74f93045076f14844f04..02c27ce449768d6d4826f1869ad29b4f638cd9c5 100644 (file)
--- a/test/scripts/5600-OCSP-OpenSSL/5602
+++ b/test/scripts/5600-OCSP-OpenSSL/5602
@@ -1,4 +1,5 @@
 # OCSP stapling, server, multiple leaf-certs
+# This will fail on OpenSSL versions before 1.1.0
 #
 #
 #