git://git.exim.org / exim.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 927a335)
OpenSSL: on library versions too old to support session tickets
authorJeremy Harris <jgh146exb@wizmail.org>
Sat, 19 Jun 2021 19:12:09 +0000 (20:12 +0100)
committerJeremy Harris <jgh146exb@wizmail.org>
Sat, 19 Jun 2021 19:12:09 +0000 (20:12 +0100)
client-side limit the valid lifetime of resumable sessions

src/src/tls-openssl.c patch | blob | history

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 4d6eeaab3795776e90dee8b8e325ee4565cc1d12..cc72b2eeb40edef3de9f02a8f377ee8c33f82ea6 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -3408,29 +3408,35 @@ if (tlsp->host_resumable)
          debug_printf("decoding session: %s\n", ssl_errstring);
          }
        }
-#ifdef EXIM_HAVE_SESSION_TICKET
-      else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
-              < time(NULL))
+      else
        {
-       DEBUG(D_tls) debug_printf("session expired\n");
-       dbfn_delete(dbm_file, key);
-       }
+       unsigned long lifetime =
+#ifdef EXIM_HAVE_SESSION_TICKET
+         SSL_SESSION_get_ticket_lifetime_hint(ss);
+#else                  /* Use, fairly arbitrilarily, what we as server would */
+         f.running_in_test_harness ? 6 : ssl_session_timeout;
 #endif
-      else if (!SSL_set_session(ssl, ss))
-       {
-       DEBUG(D_tls)
+       if (lifetime + dt->time_stamp < time(NULL))
          {
-         ERR_error_string_n(ERR_get_error(),
-           ssl_errstring, sizeof(ssl_errstring));
-         debug_printf("applying session to ssl: %s\n", ssl_errstring);
+         DEBUG(D_tls) debug_printf("session expired\n");
+         dbfn_delete(dbm_file, key);
+         }
+       else if (!SSL_set_session(ssl, ss))
+         {
+         DEBUG(D_tls)
+           {
+           ERR_error_string_n(ERR_get_error(),
+             ssl_errstring, sizeof(ssl_errstring));
+           debug_printf("applying session to ssl: %s\n", ssl_errstring);
+           }
+         }
+       else
+         {
+         DEBUG(D_tls) debug_printf("good session\n");
+         tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
+         tlsp->verify_override = dt->verify_override;
+         tlsp->ocsp = dt->ocsp;
          }
-       }
-      else
-       {
-       DEBUG(D_tls) debug_printf("good session\n");
-       tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
-       tlsp->verify_override = dt->verify_override;
-       tlsp->ocsp = dt->ocsp;
        }
       }
     else
Master Exim source repository