TLS resumption: disable on continued-connection

When we have an open TCP connection and are start a second TLS session
we do not have the host-lbserver string (being in a freshly exec'd
process) needed for session-cache lookup, so resumptino is not safe.

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 30c8d40c0f10cdb4e93d7bfa87a8c66fccce49c7..6737a9a2010d48f429daaba274a5fbfdef9811c2 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -3277,7 +3277,10 @@ tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
   smtp_connect_args * conn_args, smtp_transport_options_block * ob)
 {
 tlsp->resumption = RESUME_SUPPORTED;
-if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, conn_args->host) == OK)
+
+if (continue_hostname) /* no host_lbserver available for tls_client_resmption_key() */
+  { DEBU(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
+else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, conn_args->host) == OK)
   {
   dbdata_tls_session * dt;
   int len, rc;

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 7643c4c363f5455046479a0083d82a8fb524a363..8770699535f0fcf3c1d488cc15e84b6e5d3fc3f2 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -4024,7 +4024,10 @@ if (ob->tls_alpn)
 #endif
 
 #ifndef DISABLE_TLS_RESUME
-if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
+if (continue_hostname) /* no host_lbserver available for tls_client_resmption_key() */
+                       /*XXX another cmdline arg possibly, but use will be very low */
+  { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
+else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
   tls_client_ctx_resume_prehandshake(exim_client_ctx, conn_args, tlsp, ob);
 #endif
 

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index e59055bd2fbed9cdfb1ffcdf10290a1b763aa872..145907ca6363729faf8c934789cd080b81858ef0 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -1072,7 +1072,6 @@ if (pending_EHLO)
   if (tls_out.active.sock >= 0 || !(peer_offered & OPTION_TLS))
     ehlo_response_limits_read(sx);
 #endif
-/*XXX RESUMP - EHLO-resp avail here int sx->buffer */
   if (  peer_offered != sx->peer_offered
      || (authbits = study_ehlo_auths(sx)) != *ap)
     {
@@ -2546,7 +2545,6 @@ goto SEND_QUIT;
          )
 #endif
 /*XXX RESUMP - sx->buffer has the EHLO-resp, but only if not early-pipe and not continued-connection */
-/* maybe disable resump on cont? */
        );
 #ifdef EXPERIMENTAL_ESMTP_LIMITS
       if (tls_out.active.sock >= 0 || !(sx->peer_offered & OPTION_TLS))
@@ -2672,7 +2670,6 @@ if (  smtp_peer_options & OPTION_TLS
       sx->early_pipe_active = FALSE;
       goto PIPE_CONNECT_RETRY;
       }
-/*XXX RESUMP - does this leave the EHLO-resp anywhere?   Yes, sx->buffer */
     sx->conn_args.host_lbserver = ehlo_response_lbserver(sx->buffer, ob);
     }
 #endif
@@ -2703,7 +2700,6 @@ if (  smtp_peer_options & OPTION_TLS
   TLS_NEGOTIATE:
     {
     sx->conn_args.sending_ip_address = sending_ip_address;
-    /*XXX RESUMP want LB-server info  here */
     if (!tls_client_start(&sx->cctx, &sx->conn_args, sx->addrlist, &tls_out, &tls_errstr))
       {
       /* TLS negotiation failed; give an error. From outside, this function may