Openssl client: ocsp stapling on resumed seesion

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 3b1aa2664514f667dc0b989b717eb5266f765f45..239731436679ab4afc241e7df4389caaa016af32 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -121,6 +121,11 @@ JH/27 Support the PIPECONNECT facility in the smtp transport when the helo_data
       Previously any use of the local address in the EHLO name disabled
       PIPECONNECT, the common case being to use the rDNS of it.
 
       Previously any use of the local address in the EHLO name disabled
       PIPECONNECT, the common case being to use the rDNS of it.
 

+JH/28 OpenSSL: fix transport-required OCSP stapling verification under session
+      resumption. Previously verify failed because no certificate status is
+      passed on the wire for the restarted session. Fix by using the recorded
+      ocsp status of the stored session for the new connection.
+

 
 Exim version 4.95
 -----------------
 
 Exim version 4.95
 -----------------

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 7bf62f504849efe29abeaf71fa2bb3f22d88e03b..ab3b636a382591f19db38937974433e15aa9414c 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2417,8 +2417,12 @@ int i;
 DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
 if(!p)
 DEBUG(D_tls) debug_printf("Received TLS status callback (OCSP stapling):\n");
 len = SSL_get_tlsext_status_ocsp_resp(s, &p);
 if(!p)

- {
-  /* Expect this when we requested ocsp but got none */
+ {                             /* Expect this when we requested ocsp but got none */
+  if (SSL_session_reused(s) && tls_out.ocsp == OCSP_VFIED)
+    {
+    DEBUG(D_tls) debug_printf(" null, but resumed; ocsp vfy stored with session is good\n");
+    return 1;
+    }

   if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
     log_write(0, LOG_MAIN, "Required TLS certificate status not received");
   else
   if (cbinfo->u_ocsp.client.verify_required && LOGGING(tls_cipher))
     log_write(0, LOG_MAIN, "Required TLS certificate status not received");
   else


@@ -3658,22 +3662,19 @@ if (tlsp->host_resumable)
          DEBUG(D_tls) debug_printf("session expired\n");
          dbfn_delete(dbm_file, key);
          }
          DEBUG(D_tls) debug_printf("session expired\n");
          dbfn_delete(dbm_file, key);
          }

-       else if (!SSL_set_session(ssl, ss))
-         {
-         DEBUG(D_tls)
-           {
-           ERR_error_string_n(ERR_get_error(),
-             ssl_errstring, sizeof(ssl_errstring));
-           debug_printf("applying session to ssl: %s\n", ssl_errstring);
-           }
-         }
-       else
+       else if (SSL_set_session(ssl, ss))

          {
          DEBUG(D_tls) debug_printf("good session\n");
          tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
          tlsp->verify_override = dt->verify_override;
          tlsp->ocsp = dt->ocsp;
          }
          {
          DEBUG(D_tls) debug_printf("good session\n");
          tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
          tlsp->verify_override = dt->verify_override;
          tlsp->ocsp = dt->ocsp;
          }

+       else DEBUG(D_tls)
+         {
+         ERR_error_string_n(ERR_get_error(),
+           ssl_errstring, sizeof(ssl_errstring));
+         debug_printf("applying session to ssl: %s\n", ssl_errstring);
+         }

        }
       }
     else
        }
       }
     else