TLS resumption: fix for PIPECONNECT

When actively initiating a connection with PIPECONNECT, evaluate
the EHLO response for possible lbserver indication when we do
eventually reap that response, before acting on the STARTTLS response.

diff --git a/src/src/structs.h b/src/src/structs.h
index 3debd60f33db654e09008da5a2997dac14373c1f..b38aa6a9d4427b70482e4948584e5929d573fcd8 100644 (file)
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -834,6 +834,7 @@ typedef struct {
   int                  sock;   /* used for a bound but not connected socket */
   uschar *             sending_ip_address;     /* used for TLS resumption */
   const uschar *       host_lbserver;          /* ditto, for server-behind LB */
+  BOOL                 have_lbserver:1;        /* host_lbserver is valid */
 
 #ifdef SUPPORT_DANE
   BOOL dane:1;                 /* connection must do dane */

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 5b48980145fe7be620755d014fcc19fe9404143f..fcb8f7ac464a98806477bca2e9a5a20d44f3f7f1 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -3278,7 +3278,7 @@ tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
 {
 tlsp->resumption = RESUME_SUPPORTED;
 
-if (continue_hostname) /* no host_lbserver available for tls_client_resmption_key() */
+if (!conn_args->have_lbserver)
   { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
 else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, conn_args->host) == OK)
   {

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 8770699535f0fcf3c1d488cc15e84b6e5d3fc3f2..2b8a4e61c97fb91fe7252afb31c3e03e18a1a8f2 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -4024,8 +4024,10 @@ if (ob->tls_alpn)
 #endif
 
 #ifndef DISABLE_TLS_RESUME
-if (continue_hostname) /* no host_lbserver available for tls_client_resmption_key() */
-                       /*XXX another cmdline arg possibly, but use will be very low */
+/*XXX have_lbserver: another cmdline arg possibly, for continued-conn, but use
+will be very low. */
+
+if (!conn_args->have_lbserver) /* wanted for tls_client_resmption_key() */
   { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
 else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
   tls_client_ctx_resume_prehandshake(exim_client_ctx, conn_args, tlsp, ob);

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 145907ca6363729faf8c934789cd080b81858ef0..ad6d100a348062579bb2f09af69fe72861d0bb4f 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1004,6 +1004,28 @@ return authbits;
 
 
 
+/* Grab a string differentiating server behind a loadbalancer, for TLS
+resumption when such servers do not share a session-cache */
+
+static void
+ehlo_response_lbserver(smtp_context * sx, smtp_transport_options_block * ob)
+{
+#if !defined(DISABLE_TLS) && !defined(DISABLE_TLS_RESUME)
+const uschar * s;
+uschar * save_item = iterate_item;
+
+if (sx->conn_args.have_lbserver)
+  return;
+iterate_item = sx->buffer;
+s = expand_cstring(ob->host_name_extract);
+iterate_item = save_item;
+sx->conn_args.host_lbserver = s && !*s ? NULL : s;
+sx->conn_args.have_lbserver = TRUE;
+#endif
+}
+
+
+
 /* Wait for and check responses for early-pipelining.
 
 Called from the lower-level smtp_read_response() function
@@ -1040,6 +1062,8 @@ if (pending_BANNER)
     if (tls_out.active.sock >= 0) rc = DEFER;
     goto fail;
     }
+  /*XXX EXPERIMENTAL_ESMTP_LIMITS ? */
+  ehlo_response_lbserver(sx, sx->conn_args.ob);
   }
 
 if (pending_EHLO)
@@ -1880,28 +1904,6 @@ return checks;
 
 
 
-/* Grab a string differentiating server behind a loadbalancer, for TLS
-resumption when such servers do not share a session-cache */
-
-static const uschar *
-ehlo_response_lbserver(uschar * buffer, smtp_transport_options_block * ob)
-{
-#if !defined(DISABLE_TLS) && !defined(DISABLE_TLS_RESUME)
-/* want to make this a main-section option */
-const uschar * s;
-uschar * save_item = iterate_item;
-
-iterate_item = buffer;
-s = expand_cstring(ob->host_name_extract);
-iterate_item = save_item;
-return s && !*s ? NULL : s;
-#else
-return NULL;
-#endif
-}
-
-
-
 /* Callback for emitting a BDAT data chunk header.
 
 If given a nonzero size, first flush any buffered SMTP commands
@@ -2544,7 +2546,6 @@ goto SEND_QUIT;
          : 0
          )
 #endif
-/*XXX RESUMP - sx->buffer has the EHLO-resp, but only if not early-pipe and not continued-connection */
        );
 #ifdef EXPERIMENTAL_ESMTP_LIMITS
       if (tls_out.active.sock >= 0 || !(sx->peer_offered & OPTION_TLS))
@@ -2567,7 +2568,7 @@ goto SEND_QUIT;
          }
        }
 #endif
-      sx->conn_args.host_lbserver = ehlo_response_lbserver(sx->buffer, ob);
+      ehlo_response_lbserver(sx, ob);
       }
 
   /* Set tls_offered if the response to EHLO specifies support for STARTTLS. */
@@ -2670,7 +2671,6 @@ if (  smtp_peer_options & OPTION_TLS
       sx->early_pipe_active = FALSE;
       goto PIPE_CONNECT_RETRY;
       }
-    sx->conn_args.host_lbserver = ehlo_response_lbserver(sx->buffer, ob);
     }
 #endif