From c065180cc7302a6d0ef7db9272ead690a3f97c01 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 23 May 2022 12:09:43 +0100 Subject: [PATCH] TLS resumption: disable on continued-connection When we have an open TCP connection and are start a second TLS session we do not have the host-lbserver string (being in a freshly exec'd process) needed for session-cache lookup, so resumptino is not safe. --- src/src/tls-gnu.c | 5 ++++- src/src/tls-openssl.c | 5 ++++- src/src/transports/smtp.c | 4 ---- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 30c8d40c0..6737a9a20 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -3277,7 +3277,10 @@ tls_retrieve_session(tls_support * tlsp, gnutls_session_t session, smtp_connect_args * conn_args, smtp_transport_options_block * ob) { tlsp->resumption = RESUME_SUPPORTED; -if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, conn_args->host) == OK) + +if (continue_hostname) /* no host_lbserver available for tls_client_resmption_key() */ + { DEBU(D_tls) debug_printf("resumption not supported on continued-connection\n"); } +else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, conn_args->host) == OK) { dbdata_tls_session * dt; int len, rc; diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 7643c4c36..877069953 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -4024,7 +4024,10 @@ if (ob->tls_alpn) #endif #ifndef DISABLE_TLS_RESUME -if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK) +if (continue_hostname) /* no host_lbserver available for tls_client_resmption_key() */ + /*XXX another cmdline arg possibly, but use will be very low */ + { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); } +else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK) tls_client_ctx_resume_prehandshake(exim_client_ctx, conn_args, tlsp, ob); #endif diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index e59055bd2..145907ca6 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -1072,7 +1072,6 @@ if (pending_EHLO) if (tls_out.active.sock >= 0 || !(peer_offered & OPTION_TLS)) ehlo_response_limits_read(sx); #endif -/*XXX RESUMP - EHLO-resp avail here int sx->buffer */ if ( peer_offered != sx->peer_offered || (authbits = study_ehlo_auths(sx)) != *ap) { @@ -2546,7 +2545,6 @@ goto SEND_QUIT; ) #endif /*XXX RESUMP - sx->buffer has the EHLO-resp, but only if not early-pipe and not continued-connection */ -/* maybe disable resump on cont? */ ); #ifdef EXPERIMENTAL_ESMTP_LIMITS if (tls_out.active.sock >= 0 || !(sx->peer_offered & OPTION_TLS)) @@ -2672,7 +2670,6 @@ if ( smtp_peer_options & OPTION_TLS sx->early_pipe_active = FALSE; goto PIPE_CONNECT_RETRY; } -/*XXX RESUMP - does this leave the EHLO-resp anywhere? Yes, sx->buffer */ sx->conn_args.host_lbserver = ehlo_response_lbserver(sx->buffer, ob); } #endif @@ -2703,7 +2700,6 @@ if ( smtp_peer_options & OPTION_TLS TLS_NEGOTIATE: { sx->conn_args.sending_ip_address = sending_ip_address; - /*XXX RESUMP want LB-server info here */ if (!tls_client_start(&sx->cctx, &sx->conn_args, sx->addrlist, &tls_out, &tls_errstr)) { /* TLS negotiation failed; give an error. From outside, this function may -- 2.30.2