OpenSSL: fix reload of changed OCSP proof
authorJeremy Harris <jgh146exb@wizmail.org>
Sat, 20 Aug 2022 15:43:03 +0000 (16:43 +0100)
committerJeremy Harris <jgh146exb@wizmail.org>
Sat, 20 Aug 2022 17:22:39 +0000 (18:22 +0100)
doc/doc-txt/ChangeLog
src/src/tls-openssl.c
src/src/tls.c
test/confs/1102
test/log/1102
test/scripts/1100-Basic-TLS/1102
test/src/client.c
test/stdout/1102

index d17370589aa588813f3839b99407f63a8b2d89c4..6a4e10915cc4f4c6d3dbae363de6e35293b85b14 100644 (file)
@@ -26,6 +26,10 @@ JH/05 Follow symlinks for placing a watch on TLS creds files.  This means
 JH/06 Check for bad chars in rDNS for sender_host_name. The OpenBSD (at least)
       dn_expand() is happy to pass them through.
 
 JH/06 Check for bad chars in rDNS for sender_host_name. The OpenBSD (at least)
       dn_expand() is happy to pass them through.
 
+JH/07 OpenSSL Fix auto-reload of changed server OCSP proof. Previously, if
+      the file with the proof had an unchanged name, the new proof(s) were
+      loaded on top of the old ones (and nover used; the old ones were stapled).
+
 
 Exim version 4.96
 -----------------
 
 Exim version 4.96
 -----------------
index c46bc75a571f7efab9d2b125f4b0b3725c88eb3e..c63e56c0e9c3fcd9f3b982924407252c40406591 100644 (file)
@@ -1477,12 +1477,12 @@ return;
 
 
 static void
 
 
 static void
-ocsp_free_response_list(exim_openssl_state_st * cbinfo)
+ocsp_free_response_list(exim_openssl_state_st * state)
 {
 {
-for (ocsp_resplist * olist = cbinfo->u_ocsp.server.olist; olist;
+for (ocsp_resplist * olist = state->u_ocsp.server.olist; olist;
      olist = olist->next)
   OCSP_RESPONSE_free(olist->resp);
      olist = olist->next)
   OCSP_RESPONSE_free(olist->resp);
-cbinfo->u_ocsp.server.olist = NULL;
+state->u_ocsp.server.olist = NULL;
 }
 #endif /*!DISABLE_OCSP*/
 
 }
 #endif /*!DISABLE_OCSP*/
 
@@ -1574,6 +1574,11 @@ else
       if (olist && !*olist)
        olist = NULL;
 
       if (olist && !*olist)
        olist = NULL;
 
+      /* If doing a re-expand after SNI, avoid reloading the OCSP
+      responses when the list of filenames has not changed.
+      The creds-invali on content change wipes file_expanded, so that
+      always reloads here. */
+
       if (  state->u_ocsp.server.file_expanded && olist
         && (Ustrcmp(olist, state->u_ocsp.server.file_expanded) == 0))
        {
       if (  state->u_ocsp.server.file_expanded && olist
         && (Ustrcmp(olist, state->u_ocsp.server.file_expanded) == 0))
        {
@@ -1918,6 +1923,7 @@ tls_server_creds_invalidate(void)
 {
 SSL_CTX_free(state_server.lib_state.lib_ctx);
 state_server.lib_state = null_tls_preload;
 {
 SSL_CTX_free(state_server.lib_state.lib_ctx);
 state_server.lib_state = null_tls_preload;
+state_server.u_ocsp.server.file_expanded = NULL;
 }
 
 
 }
 
 
@@ -2763,7 +2769,7 @@ if (state->lib_state.conn_certs)
 else
   {
 #ifndef DISABLE_OCSP
 else
   {
 #ifndef DISABLE_OCSP
-  if (!host)
+  if (!host)                                   /* server */
     {
     state->u_ocsp.server.file = ocsp_file;
     state->u_ocsp.server.file_expanded = NULL;
     {
     state->u_ocsp.server.file = ocsp_file;
     state->u_ocsp.server.file_expanded = NULL;
index 32b29ee3e4ded6062bb64dae30400ca092700393..d7cefce677c19cf33e0693aada28a3ce1332aaca 100644 (file)
@@ -361,6 +361,8 @@ tls_watch_invalidate();
 #endif
 
 tls_server_creds_invalidate();
 #endif
 
 tls_server_creds_invalidate();
+
+/* _expire is for a time-limited selfsign server cert */
 tls_creds_expire = (lifetime = tls_server_creds_init())
   ? time(NULL) + lifetime : 0;
 
 tls_creds_expire = (lifetime = tls_server_creds_init())
   ? time(NULL) + lifetime : 0;
 
index 2bab6e80422c1c014c593aad7b4d9d1b26733d80..23afc36ee5d8ff80a3d82e4f10c3a3ae15a7ddf2 100644 (file)
@@ -9,7 +9,9 @@ primary_hostname = myhost.test.ex
 tls_advertise_hosts = *
 
 tls_certificate = DIR/tmp/certs/servercert
 tls_advertise_hosts = *
 
 tls_certificate = DIR/tmp/certs/servercert
-tls_privatekey = DIR/tmp/certs/serverkey
+tls_privatekey =  DIR/tmp/certs/serverkey
+tls_ocsp_file =   DIR/tmp/certs/ocsp_proof
+
 #tls_verify_certificates = DIR/aux-fixed/cert2
 tls_verify_certificates = system,cache
 
 #tls_verify_certificates = DIR/aux-fixed/cert2
 tls_verify_certificates = system,cache
 
index 9bbca1052adca0c1c97675a3cac780d86450584f..89933f7098373a58e94c97fb38468b99b67908b9 100644 (file)
@@ -1,5 +1,5 @@
 
 ******** SERVER ********
 2017-07-30 18:51:05.712 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
 
 ******** SERVER ********
 2017-07-30 18:51:05.712 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
-2017-07-30 18:51:05.712 server cert: CN=Phil Pennock
 2017-07-30 18:51:05.712 server cert: CN=server1.example.com
 2017-07-30 18:51:05.712 server cert: CN=server1.example.com
+2017-07-30 18:51:05.712 server cert: CN=server1.example.net
index 862d26a6ec25be58d40708ab101c36c1db1019f3..285b3be098dbae8210d785487794c3853ce8d5bc 100644 (file)
@@ -2,13 +2,14 @@
 #
 #
 mkdir -p DIR/tmp/certs
 #
 #
 mkdir -p DIR/tmp/certs
-cp DIR/aux-fixed/cert1 DIR/tmp/certs/servercert
-cp DIR/aux-fixed/cert1 DIR/tmp/certs/serverkey
+cp DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem            DIR/tmp/certs/servercert
+cp DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key   DIR/tmp/certs/serverkey
+cp DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.ocsp.good.resp DIR/tmp/certs/ocsp_proof
 #
 #exim -d-all+tls+receive+timestamp -DSERVER=server -bd -oX PORT_D
 exim -DSERVER=server -bd -oX PORT_D
 ****
 #
 #exim -d-all+tls+receive+timestamp -DSERVER=server -bd -oX PORT_D
 exim -DSERVER=server -bd -oX PORT_D
 ****
-client-anytls 127.0.0.1 PORT_D
+client-anytls -ocsp DIR/aux-fixed/exim-ca/example.com/server1.example.com/ca_chain.pem 127.0.0.1 PORT_D
 ??? 220
 EHLO rhu.barb
 ????250
 ??? 220
 EHLO rhu.barb
 ????250
@@ -24,12 +25,14 @@ QUIT
 ??? 221
 ****
 sleep 1
 ??? 221
 ****
 sleep 1
-# Now overwrite the cert.  key?
-cp DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.pem DIR/tmp/certs/servercert
-cp DIR/aux-fixed/exim-ca/example.com/server1.example.com/server1.example.com.unlocked.key DIR/tmp/certs/serverkey
-# The watch mech waits 5 sec after the last trigger, so give that time to expire the send another message
+# Now overwrite the cert
+# XXX using server2.com fails here, on the ocsp verify.  Why?
+cp DIR/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.pem            DIR/tmp/certs/servercert
+cp DIR/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.unlocked.key   DIR/tmp/certs/serverkey
+cp DIR/aux-fixed/exim-ca/example.net/server1.example.net/server1.example.net.ocsp.good.resp DIR/tmp/certs/ocsp_proof
+# The watch mech waits 5 sec after the last trigger, so give that time to expire then send another message
 sleep 7
 sleep 7
-client-anytls 127.0.0.1 PORT_D
+client-anytls -ocsp DIR/aux-fixed/exim-ca/example.net/server1.example.net/ca_chain.pem 127.0.0.1 PORT_D
 ??? 220
 EHLO rhu.barb
 ????250
 ??? 220
 EHLO rhu.barb
 ????250
index 9beaf25bb74a4ef154b35c94db1036f150b71f88..29712bb5e6128cf489a68048d135700495664252 100644 (file)
@@ -802,6 +802,8 @@ nextinput:
              }
            fflush(stdout);
            }
              }
            fflush(stdout);
            }
+           else
+             printf("Succeeded in starting TLS (with OCSP)\n");
          #endif
          }
        #endif
          #endif
          }
        #endif
@@ -1341,7 +1343,7 @@ if (tls_on_connect)
     printf("Failed to verify certificate status\n");
 #endif
   else
     printf("Failed to verify certificate status\n");
 #endif
   else
-    printf("Succeeded in starting TLS\n");
+    printf("Succeeded in starting TLS%s\n", ocsp_stapling ? " (with OCSP)":"");
   }
 #endif
 
   }
 #endif
 
index 0e9c0b366300dc82c0c2a50416658de4c7ad01ad..908c37d34f36067b850df0472a5c11da22652fe8 100644 (file)
@@ -7,7 +7,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-Succeeded in starting TLS
+Succeeded in starting TLS (with OCSP)
 >>> EHLO rhu.barb
 ????250
 >>> MAIL FROM:<>
 >>> EHLO rhu.barb
 ????250
 >>> MAIL FROM:<>
@@ -29,7 +29,7 @@ Connecting to 127.0.0.1 port 1225 ... connected
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
 ??? 220
 <<< 220 TLS go ahead
 Attempting to start TLS
-Succeeded in starting TLS
+Succeeded in starting TLS (with OCSP)
 >>> EHLO rhu.barb
 ????250
 >>> MAIL FROM:<>
 >>> EHLO rhu.barb
 ????250
 >>> MAIL FROM:<>