TLS: library version build-time checks for resumption support

diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index a2861c4a968b94f07d7e7f4ff1ad0b246b6279a1..feecb3375ca478404d95e2541e897cbab5574882 100644 (file)
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -953,9 +953,10 @@ Transport configurations should be checked for this.  An example avoidance:
 
 TLS Session Resumption
 ----------------------
 
 TLS Session Resumption
 ----------------------

-TLS Session Resumption for TLS 1.2 and TLS1.3 connections can be used (defined
+TLS Session Resumption for TLS 1.2 and TLS 1.3 connections can be used (defined

 in RFC 5077 for 1.2).  The support for this can be included by building with
 in RFC 5077 for 1.2).  The support for this can be included by building with

-EXPERIMENTAL_TLS_RESUME defined.
+EXPERIMENTAL_TLS_RESUME defined.  This requires GnuTLS 3.6.3 or OpenSSL 1.1.1
+(or later).

 
 Session resumption (this is the "stateless" variant) involves the server sending
 a "session ticket" to the client on one connection, which can be stored by the
 
 Session resumption (this is the "stateless" variant) involves the server sending
 a "session ticket" to the client on one connection, which can be stored by the

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 03002c704522199ee0e37291f729c94b9efb98e9..085f6b8404aa0e9d7dd2accd993fdf5d0b7b294d 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -89,6 +89,12 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 # endif
 #endif
 
 # endif
 #endif
 

+#ifdef EXPERIMENTAL_TLS_RESUME
+# if GNUTLS_VERSION_NUMBER < 0x030603
+#  error GNUTLS version too early for session-resumption
+# endif
+#endif
+

 #ifndef DISABLE_OCSP
 # include <gnutls/ocsp.h>
 #endif
 #ifndef DISABLE_OCSP
 # include <gnutls/ocsp.h>
 #endif


@@ -2475,7 +2481,6 @@ but this flag is not set until the second.  TLS 1.3 it's the other way about.
 Keep both calls as the session data cannot be extracted before handshake
 completes. */
 
 Keep both calls as the session data cannot be extracted before handshake
 completes. */
 

-#ifdef GNUTLS_SFLAGS_SESSION_TICKET

 if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
   {
   gnutls_datum_t tkt;
 if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
   {
   gnutls_datum_t tkt;


@@ -2510,7 +2515,6 @@ if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
     else DEBUG(D_tls)
       debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
   }
     else DEBUG(D_tls)
       debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
   }

-#endif

 }
 
 
 }
 
 

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index e47df7cb29f3f739eac6982fa2b5f408c3a2b23b..824212dbcbdfa87a2af1b6c61e7a2babfbb5b33d 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -108,6 +108,12 @@ change this guard and punt the issue for a while longer. */
 # define DISABLE_OCSP
 #endif
 
 # define DISABLE_OCSP
 #endif
 

+#ifdef EXPERIMENTAL_TLS_RESUME
+# if OPENSSL_VERSION_NUMBER < 0x0101010L
+#  error OpenSSL version too old for session-resumption
+# endif
+#endif
+

 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
 # include <openssl/x509v3.h>
 #endif
 #ifdef EXIM_HAVE_OPENSSL_CHECKHOST
 # include <openssl/x509v3.h>
 #endif