From 96751ae76e6c6db435f5a4f141511d6f973b6583 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Tue, 4 Oct 2022 13:20:29 +0100
Subject: [PATCH] OpenSSL: fix configuration of older TLS protocol versions

---
 doc/doc-txt/ChangeLog              |  4 ++++
 src/src/tls-openssl.c              | 13 ++++++++++---
 test/confs/1190                    |  4 ++++
 test/confs/2091                    |  1 -
 test/log/1190                      |  1 +
 test/log/2091                      |  3 ---
 test/scripts/1190-TLS-ALPN/1190    | 26 ++++++++++++++++++++++++++
 test/scripts/2090-GnuTLS-ALPN/2091 | 19 -------------------
 test/stdout/2091                   | 21 ---------------------
 9 files changed, 45 insertions(+), 47 deletions(-)
 delete mode 120000 test/confs/2091
 delete mode 100644 test/log/2091
 delete mode 100644 test/scripts/2090-GnuTLS-ALPN/2091
 delete mode 100644 test/stdout/2091

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a662540fe..9d7d02d0e 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -43,6 +43,10 @@ JH/09 Fix ${filter } for conditions that modify $value.  Previously the
 JH/10 GnuTLS: fix for (IOT?) clients offering no TLS extensions at all.
       Find and fix by Jasen Betts.
 
+JH/11 OpenSSL: fix for ancient clients needing TLS support for versions earlier
+      than TLSv1,2,  Previously, more-recent versions of OpenSSL were permitting
+      the systemwide configuration to override the Exim config.
+
 
 Exim version 4.96
 -----------------
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 0129fb93e..9ddb16fc4 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2210,7 +2210,9 @@ already exists.  Might even need this selfsame callback, for reneg? */
   SSL_CTX * ctx = state_server.lib_state.lib_ctx;
   SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(ctx));
   SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(ctx));
+  SSL_CTX_set_min_proto_version(server_sni, SSL3_VERSION);
   SSL_CTX_set_options(server_sni, SSL_CTX_get_options(ctx));
+  SSL_CTX_clear_options(server_sni, ~SSL_CTX_get_options(ctx));
   SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(ctx));
   SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
   SSL_CTX_set_tlsext_servername_arg(server_sni, state);
@@ -2726,10 +2728,15 @@ if (init_options)
     }
 #endif
 
-  DEBUG(D_tls) debug_printf("setting SSL CTX options: %#lx\n", init_options);
-  if (!(SSL_CTX_set_options(ctx, init_options)))
-    return tls_error(string_sprintf(
+  SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION);
+  DEBUG(D_tls) debug_printf("setting  SSL CTX options: %016lx\n", init_options);
+  SSL_CTX_set_options(ctx, init_options);
+   {
+    ulong readback = SSL_CTX_clear_options(ctx, ~init_options);
+    if (readback != init_options)
+      return tls_error(string_sprintf(
           "SSL_CTX_set_option(%#lx)", init_options), host, NULL, errstr);
+   }
   }
 else
   DEBUG(D_tls) debug_printf("no SSL CTX options to set\n");
diff --git a/test/confs/1190 b/test/confs/1190
index c65bf5b0c..d368004e9 100644
--- a/test/confs/1190
+++ b/test/confs/1190
@@ -24,6 +24,10 @@ tls_alpn = STRICT
 hosts_require_alpn = *
 .endif
 
+.ifdef _HAVE_OPENSSL
+tls_require_ciphers = ALL:@SECLEVEL=0
+openssl_options = -no_sslv3 -no_tlsv1_1 -no_tlsv1
+.endif
 
 # ------ ACL ------
 
diff --git a/test/confs/2091 b/test/confs/2091
deleted file mode 120000
index 9aba31b86..000000000
--- a/test/confs/2091
+++ /dev/null
@@ -1 +0,0 @@
-2090
\ No newline at end of file
diff --git a/test/log/1190 b/test/log/1190
index bbef54bd6..53c56f59a 100644
--- a/test/log/1190
+++ b/test/log/1190
@@ -31,6 +31,7 @@
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbE-0005vi-00 => :blackhole: <e@test.ex> R=server
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
+1999-03-02 09:44:33 TLS error on connection from (IOTtester) [127.0.0.1] (tls lib accept fn): TCP connection closed by peer
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbG-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbF-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmbG-0005vi-00 => :blackhole: <f@test.ex> R=server
diff --git a/test/log/2091 b/test/log/2091
deleted file mode 100644
index 61b05e67f..000000000
--- a/test/log/2091
+++ /dev/null
@@ -1,3 +0,0 @@
-
-******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
diff --git a/test/scripts/1190-TLS-ALPN/1190 b/test/scripts/1190-TLS-ALPN/1190
index 50fbb7aeb..bd873c391 100644
--- a/test/scripts/1190-TLS-ALPN/1190
+++ b/test/scripts/1190-TLS-ALPN/1190
@@ -24,7 +24,33 @@ exim -DCONTROL="" -odf d@test.ex
 # Content-free client option is ok
 exim -DCONTROL=" " -odf e@test.ex
 ****
+#
+# Really dumb (IOT?) client, offering no TLS extensions at all in the Client Hello
+#
+# We're feeding the TLS protocol packet in manually rather then having
+# the TLS-enabled client do it, we (currently) can only drop the TCP conn after
+# the TLS conn completes (or fails).
+# Expect the server to log "TCP connection closed by peer" for the success case;
+# something else logged counts as bad.
+#
+client 127.0.0.1 PORT_D
+??? 220
+EHLO IOTtester
+??? 250-
+??? 250-SIZE
+??? 250-8BITMIME
+??? 250-PIPELINING
+??? 250-STARTTLS
+??? 250 HELP
+STARTTLS
+??? 220
+>>> \x16\x03\x00\x00\x43\x01\x00\x00\x3f\x03\x02\xff\xff\xff\xff\x92\x3e\x99\x88\xd0\x2b\x8f\xc2\x76\xbd\xcf\x02\xcc\xb6\xfc\x39\x00\xd0\x52\x82\x8c\x65\x0c\xcd\x8c\x02\x00\x40\x00\x00\x18\x00\x33\x00\x39\x00\x45\x00\x88\x00\x16\x00\x35\x00\x84\x00\x2f\x00\x41\x00\x0a\x00\x05\x00\x04\x01\x00
+****
+millisleep 500
+#
+#
 killdaemon
+millisleep 500
 #
 # Server can be told to ignore (bad) ALPN from client
 exim -DSERVER=server -DSTRICT="" -bd -oX PORT_D
diff --git a/test/scripts/2090-GnuTLS-ALPN/2091 b/test/scripts/2090-GnuTLS-ALPN/2091
deleted file mode 100644
index de34a1a94..000000000
--- a/test/scripts/2090-GnuTLS-ALPN/2091
+++ /dev/null
@@ -1,19 +0,0 @@
-# TLS: ALPN: IOT client
-# Check server connection survives a TLS client offering no TLS extensions at all (including ALPN)
-gnutls
-exim -DSERVER=server -bd -oX PORT_D
-****
-client 127.0.0.1 PORT_D
-??? 220
-EHLO IOTtester
-??? 250-
-??? 250-SIZE
-??? 250-8BITMIME
-??? 250-PIPELINING
-??? 250-STARTTLS
-??? 250 HELP
-STARTTLS
-??? 220
->>> \x16\x03\x00\x00\x43\x01\x00\x00\x3f\x03\x02\xff\xff\xff\xff\x92\x3e\x99\x88\xd0\x2b\x8f\xc2\x76\xbd\xcf\x02\xcc\xb6\xfc\x39\x00\xd0\x52\x82\x8c\x65\x0c\xcd\x8c\x02\x00\x40\x00\x00\x18\x00\x33\x00\x39\x00\x45\x00\x88\x00\x16\x00\x35\x00\x84\x00\x2f\x00\x41\x00\x0a\x00\x05\x00\x04\x01\x00
-****
-killdaemon
diff --git a/test/stdout/2091 b/test/stdout/2091
deleted file mode 100644
index fbddb3578..000000000
--- a/test/stdout/2091
+++ /dev/null
@@ -1,21 +0,0 @@
-Connecting to 127.0.0.1 port 1225 ... connected
-??? 220
-<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
->>> EHLO IOTtester
-??? 250-
-<<< 250-myhost.test.ex Hello IOTtester [127.0.0.1]
-??? 250-SIZE
-<<< 250-SIZE 52428800
-??? 250-8BITMIME
-<<< 250-8BITMIME
-??? 250-PIPELINING
-<<< 250-PIPELINING
-??? 250-STARTTLS
-<<< 250-STARTTLS
-??? 250 HELP
-<<< 250 HELP
->>> STARTTLS
-??? 220
-<<< 220 TLS go ahead
->>> \x16\x03\x00\x00\x43\x01\x00\x00\x3f\x03\x02\xff\xff\xff\xff\x92\x3e\x99\x88\xd0\x2b\x8f\xc2\x76\xbd\xcf\x02\xcc\xb6\xfc\x39\x00\xd0\x52\x82\x8c\x65\x0c\xcd\x8c\x02\x00\x40\x00\x00\x18\x00\x33\x00\x39\x00\x45\x00\x88\x00\x16\x00\x35\x00\x84\x00\x2f\x00\x41\x00\x0a\x00\x05\x00\x04\x01\x00
-End of script
-- 
2.30.2