From 4f1d23a1aa7aafc5a47988d80dde87c67ec8e1fc Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 6 May 2019 12:28:14 +0100 Subject: [PATCH] OpenSSL: discard expired resumption session in client --- doc/doc-txt/experimental-spec.txt | 3 ++- src/src/tls-openssl.c | 6 ++++++ test/log/5891 | 4 ++-- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index aa7046e58..f304cf455 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -1004,7 +1004,8 @@ Issues: will be true, when verify failed but tls_try_verify_hosts allowed the connection (under OpenSSL) $tls_{in,out}_cipher will have values different to the original (under GnuTLS) - $tls_{in,out}_ocsp will be "not requested" or "no response" + $tls_{in,out}_ocsp will be "not requested" or "no response", and + hosts_require_ocsp will fail -------------------------------------------------------------- diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index ee52b7caa..df884355e 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -2731,6 +2731,12 @@ if (tlsp->host_resumable) debug_printf("decoding session: %s\n", ssl_errstring); } } + else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp + < time(NULL)) + { + DEBUG(D_tls) debug_printf("session expired\n"); + dbfn_delete(dbm_file, key); + } else if (!SSL_set_session(ssl, ss)) { DEBUG(D_tls) diff --git a/test/log/5891 b/test/log/5891 index 6edba3c0a..56c00dd37 100644 --- a/test/log/5891 +++ b/test/log/5891 @@ -53,7 +53,7 @@ 1999-03-02 09:44:33 10HmbE-0005vi-00 => postrenewal@test.ex R=client T=send_to_server1 H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=yes DN="/C=UK/O=The Exim Maintainers/OU=Test Suite/CN=Phil Pennock" C="250 OK id=10HmbF-0005vi-00" 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss for timeout@test.ex -1999-03-02 09:44:33 10HmbG-0005vi-00 tls_out_resumption client offered session, server only provided new ticket +1999-03-02 09:44:33 10HmbG-0005vi-00 tls_out_resumption client requested new ticket, server provided 1999-03-02 09:44:33 10HmbG-0005vi-00 our cert subject 1999-03-02 09:44:33 10HmbG-0005vi-00 peer cert subject CN=Phil Pennock,OU=Test Suite,O=The Exim Maintainers,C=UK 1999-03-02 09:44:33 10HmbG-0005vi-00 peer cert verified 1 @@ -209,7 +209,7 @@ 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@myhost.test.ex H=(helo.data.changed) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx* CV=no S=sss id=E10HmbE-0005vi-00@myhost.test.ex for postrenewal@test.ex 1999-03-02 09:44:33 10HmbF-0005vi-00 => :blackhole: R=server 1999-03-02 09:44:33 10HmbF-0005vi-00 Completed -1999-03-02 09:44:33 tls_in_resumption client offered session, server only provided new ticket +1999-03-02 09:44:33 tls_in_resumption client requested new ticket, server provided 1999-03-02 09:44:33 our cert subject CN=Phil Pennock,OU=Test Suite,O=The Exim Maintainers,C=UK 1999-03-02 09:44:33 peer cert subject 1999-03-02 09:44:33 peer cert verified 0 -- 2.30.2