From f2de3a3339ee08778dffb98057f1c19bdcf86374 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Fri, 23 May 2014 15:50:07 +0100 Subject: [PATCH] Move OCSP out of EXPERIMENTAL --- doc/doc-docbook/spec.xfpt | 103 +++++++++++++++++++ doc/doc-txt/ChangeLog | 2 + doc/doc-txt/NewStuff | 9 +- doc/doc-txt/experimental-spec.txt | 91 ---------------- src/src/EDITME | 12 ++- src/src/config.h.defaults | 3 +- src/src/deliver.c | 4 +- src/src/exim.c | 6 +- src/src/globals.c | 2 +- src/src/globals.h | 2 +- src/src/readconf.c | 2 +- src/src/tls-gnu.c | 15 +-- src/src/tls-openssl.c | 44 ++++---- src/src/transports/smtp.c | 6 +- src/src/transports/smtp.h | 2 +- test/scripts/5600-OCSP-OpenSSL/REQUIRES | 2 +- test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES | 2 +- test/scripts/5650-OCSP-GnuTLS/REQUIRES | 2 +- test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES | 2 +- 19 files changed, 167 insertions(+), 144 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 46c83adf9..990df6241 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -13222,6 +13222,7 @@ listed in more than one group. .row &%tls_crl%& "certificate revocation list" .row &%tls_dh_max_bits%& "clamp D-H bit count suggestion" .row &%tls_dhparam%& "DH parameters for server" +.row &%tls_ocsp_file%& "location of server certificate status proof" .row &%tls_on_connect_ports%& "specify SSMTP (SMTPS) ports" .row &%tls_privatekey%& "location of server private key" .row &%tls_remember_esmtp%& "don't reset after starting TLS" @@ -16341,6 +16342,13 @@ prior to the 4.80 release, as Debian used to patch Exim to raise the minimum acceptable bound from 1024 to 2048. +.option tls_ocsp_file main string&!! unset +This option +must if set expand to the absolute path to a file which contains a current +status proof for the server's certificate, as obtained from the +Certificate Authority. + + .option tls_on_connect_ports main "string list" unset This option specifies a list of incoming SSMTP (aka SMTPS) ports that should operate the obsolete SSMTP (SMTPS) protocol, where a TLS session is immediately @@ -23005,6 +23013,18 @@ hard failure if required. See also &%hosts_try_auth%&, and chapter &<>& for details of authentication. +.option hosts_request_ocsp smtp "host list&!!" * +.cindex "TLS" "requiring for certain servers" +Exim will request a Certificate Status on a +TLS session for any host that matches this list. +&%tls_verify_certificates%& should also be set for the transport. + +.option hosts_require_ocsp smtp "host list&!!" unset +.cindex "TLS" "requiring for certain servers" +Exim will request, and check for a valid Certificate Status being given, on a +TLS session for any host that matches this list. +&%tls_verify_certificates%& should also be set for the transport. + .option hosts_require_tls smtp "host list&!!" unset .cindex "TLS" "requiring for certain servers" Exim will insist on using a TLS session when delivering to any host that @@ -26164,12 +26184,79 @@ certificate is supplied, &$tls_in_peerdn$& is empty. .cindex "TLS" "revoked certificates" .cindex "revocation list" .cindex "certificate" "revocation list" +.cindex "OCSP" "stapling" Certificate issuing authorities issue Certificate Revocation Lists (CRLs) when certificates are revoked. If you have such a list, you can pass it to an Exim server using the global option called &%tls_crl%& and to an Exim client using an identically named option for the &(smtp)& transport. In each case, the value of the option is expanded and must then be the name of a file that contains a CRL in PEM format. +The downside is that clients have to periodically re-download a potentially huge +file from every certificate authority the know of. + +The way with most moving parts at query time is Online Certificate +Status Protocol (OCSP), where the client verifies the certificate +against an OCSP server run by the CA. This lets the CA track all +usage of the certs. It requires running software with access to the +private key of the CA, to sign the responses to the OCSP queries. OCSP +is based on HTTP and can be proxied accordingly. + +The only widespread OCSP server implementation (known to this writer) +comes as part of OpenSSL and aborts on an invalid request, such as +connecting to the port and then disconnecting. This requires +re-entering the passphrase each time some random client does this. + +The third way is OCSP Stapling; in this, the server using a certificate +issued by the CA periodically requests an OCSP proof of validity from +the OCSP server, then serves it up inline as part of the TLS +negotiation. This approach adds no extra round trips, does not let the +CA track users, scales well with number of certs issued by the CA and is +resilient to temporary OCSP server failures, as long as the server +starts retrying to fetch an OCSP proof some time before its current +proof expires. The downside is that it requires server support. + +Unless Exim is built with the support disabled, +or with GnuTLS earlier than version 3.1.3, +support for OCSP stapling is included. + +There is a global option called &%tls_ocsp_file%&. +The file specified therein is expected to be in DER format, and contain +an OCSP proof. Exim will serve it as part of the TLS handshake. This +option will be re-expanded for SNI, if the &%tls_certificate%& option +contains &`tls_in_sni`&, as per other TLS options. + +Exim does not at this time implement any support for fetching a new OCSP +proof. The burden is on the administrator to handle this, outside of +Exim. The file specified should be replaced atomically, so that the +contents are always valid. Exim will expand the &%tls_ocsp_file%& option +on each connection, so a new file will be handled transparently on the +next connection. + +When built with OpenSSL Exim will check for a valid next update timestamp +in the OCSP proof; if not present, or if the proof has expired, it will be +ignored. + +For the client to be able to verify the stapled OCSP the server must +also supply, in its stapled information, any intermediate +certificates for the chain leading to the OCSP proof from the signer +of the server certificate. There may be zero or one such. These +intermediate certificates should be added to the server OCSP stapling +file named by &%tls_ocsp_file%&. + +Note that the proof only covers the terminal server certificate, +not any of the chain from CA to it. + +.code + A helper script "ocsp_fetch.pl" for fetching a proof from a CA + OCSP server is supplied. The server URL may be included in the + server certificate, if the CA is helpful. + + One failure mode seen was the OCSP Signer cert expiring before the end + of validity of the OCSP proof. The checking done by Exim/OpenSSL + noted this as invalid overall, but the re-fetch script did not. +.endd + + .section "Configuring an Exim client to use TLS" "SECID185" @@ -26225,6 +26312,19 @@ The &%tls_verify_hosts%& and &%tls_try_verify_hosts%& options restrict certificate verification to the listed servers. Verification either must or need not succeed respectively. +The &(smtp)& transport has two OCSP-related options: +&%hosts_require_ocsp%&; a host-list for which a Certificate Status +is requested and required for the connection to proceed. The default +value is empty. +&%hosts_request_ocsp%&; a host-list for which (additionally) +a Certificate Status is requested (but not necessarily verified). The default +value is "*" meaning that requests are made unless configured +otherwise. + +The host(s) should also be in &%hosts_require_tls%&, and +&%tls_verify_certificates%& configured for the transport, +for OCSP to be relevant. + If &%tls_require_ciphers%& is set on the &(smtp)& transport, it must contain a list of permitted cipher suites. If either of these checks fails, delivery to @@ -26310,6 +26410,9 @@ during TLS session handshake, to permit alternative values to be chosen: .next .vindex "&%tls_verify_certificates%&" &%tls_verify_certificates%& +.next +.vindex "&%tls_ocsp_file%&" +&%tls_verify_certificates%& .endlist Great care should be taken to deal with matters of case, various injection diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 22be3438e..ee56623ad 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -121,6 +121,8 @@ JH/23 The PRDR feature is moved from being Experimental into the mainline. TL/11 Bug 1119: fix memory allocation in string_printing2(). Patch from Christian Aistleitner. +JH/24 The OCSP stapling feature is moved from Experimental into the mainline. + Exim version 4.82 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index ac06ebfc6..f3e2dc1eb 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -39,8 +39,7 @@ Version 4.83 7. New command-line option -C for exiqgrep to specify alternate exim.conf file when searching the queue. - 8. EXPERIMENTAL_OCSP now supports GnuTLS also, if you have version 3.1.3 - or later of that. + 8. OCSP now supports GnuTLS also, if you have version 3.1.3 or later of that. 9. Support for DNSSEC on outbound connections. @@ -51,6 +50,12 @@ Version 4.83 11. PRDR is now supported dy default. +12. OCSP stapling is now supported by default. + +13. If built with the EXPERIMENTAL_DSN feature enabled, Exim will output + Delivery Status Notification messages in MIME format, and negociate + DSN features per RFC 3461. + Version 4.82 ------------ diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt index 7872f24e2..6657f63c7 100644 --- a/doc/doc-txt/experimental-spec.txt +++ b/doc/doc-txt/experimental-spec.txt @@ -6,97 +6,6 @@ about experimental features, all of which are unstable and liable to incompatible change. -OCSP Stapling support --------------------------------------------------------------- - -X.509 PKI certificates expire and can be revoked; to handle this, the -clients need some way to determine if a particular certificate, from a -particular Certificate Authority (CA), is still valid. There are three -main ways to do so. - -The simplest way is to serve up a Certificate Revocation List (CRL) with -an ordinary web-server, regenerating the CRL before it expires. The -downside is that clients have to periodically re-download a potentially -huge file from every certificate authority it knows of. - -The way with most moving parts at query time is Online Certificate -Status Protocol (OCSP), where the client verifies the certificate -against an OCSP server run by the CA. This lets the CA track all -usage of the certs. This requires running software with access to the -private key of the CA, to sign the responses to the OCSP queries. OCSP -is based on HTTP and can be proxied accordingly. - -The only widespread OCSP server implementation (known to this writer) -comes as part of OpenSSL and aborts on an invalid request, such as -connecting to the port and then disconnecting. This requires -re-entering the passphrase each time some random client does this. - -The third way is OCSP Stapling; in this, the server using a certificate -issued by the CA periodically requests an OCSP proof of validity from -the OCSP server, then serves it up inline as part of the TLS -negotiation. This approach adds no extra round trips, does not let the -CA track users, scales well with number of certs issued by the CA and is -resilient to temporary OCSP server failures, as long as the server -starts retrying to fetch an OCSP proof some time before its current -proof expires. The downside is that it requires server support. - -If Exim is built with EXPERIMENTAL_OCSP and it was built with OpenSSL, -or with GnuTLS 3.1.3 or later, then it gains a new global option: -"tls_ocsp_file". - -The file specified therein is expected to be in DER format, and contain -an OCSP proof. Exim will serve it as part of the TLS handshake. This -option will be re-expanded for SNI, if the tls_certificate option -contains $tls_sni, as per other TLS options. - -Exim does not at this time implement any support for fetching a new OCSP -proof. The burden is on the administrator to handle this, outside of -Exim. The file specified should be replaced atomically, so that the -contents are always valid. Exim will expand the "tls_ocsp_file" option -on each connection, so a new file will be handled transparently on the -next connection. - -Under OpenSSL Exim will check for a valid next update timestamp in the -OCSP proof; if not present, or if the proof has expired, it will be -ignored. - -Also, given EXPERIMENTAL_OCSP, the smtp transport gains two options: -- "hosts_require_ocsp"; a host-list for which an OCSP Stapling -is requested and required for the connection to proceed. The default -value is empty. -- "hosts_request_ocsp"; a host-list for which (additionally) an OCSP -Stapling is requested (but not necessarily verified). The default -value is "*" meaning that requests are made unless configured -otherwise. - -The host(s) should also be in "hosts_require_tls", and -"tls_verify_certificates" configured for the transport. - -For the client to be able to verify the stapled OCSP the server must -also supply, in its stapled information, any intermediate -certificates for the chain leading to the OCSP proof from the signer -of the server certificate. There may be zero or one such. These -intermediate certificates should be added to the server OCSP stapling -file (named by tls_ocsp_file). - -Note that the proof only covers the terminal server certificate, -not any of the chain from CA to it. - -At this point in time, we're gathering feedback on use, to determine if -it's worth adding complexity to the Exim daemon to periodically re-fetch -OCSP files and somehow handling multiple files. - - A helper script "ocsp_fetch.pl" for fetching a proof from a CA - OCSP server is supplied. The server URL may be included in the - server certificate, if the CA is helpful. - - One failure mode seen was the OCSP Signer cert expiring before the end - of validity of the OCSP proof. The checking done by Exim/OpenSSL - noted this as invalid overall, but the re-fetch script did not. - - - - Brightmail AntiSpam (BMI) suppport -------------------------------------------------------------- diff --git a/src/src/EDITME b/src/src/EDITME index 0d31ba5c1..d576fd7a3 100644 --- a/src/src/EDITME +++ b/src/src/EDITME @@ -415,6 +415,13 @@ EXIM_MONITOR=eximon.bin # DISABLE_PRDR=yes +#------------------------------------------------------------------------------ +# Uncomment the following line to remove OCSP stapling support in TLS, +# from Exim. Note it can only be supported when built with +# GnuTLS 3.1.3 or later, or OpenSSL + +# DISABLE_OCSP=yes + #------------------------------------------------------------------------------ # By default, Exim has support for checking the AD bit in a DNS response, to # determine if DNSSEC validation was successful. If your system libraries @@ -459,11 +466,6 @@ EXIM_MONITOR=eximon.bin # CFLAGS += -I/opt/brightmail/bsdk-6.0/include # LDFLAGS += -lxml2_single -lbmiclient_single -L/opt/brightmail/bsdk-6.0/lib -# Uncomment the following line to add OCSP stapling support in TLS, if Exim -# was built using OpenSSL, or with GnuTLS 3.1.3 or later. - -# EXPERIMENTAL_OCSP=yes - # Uncomment the following line to add DMARC checking capability, implemented # using libopendmarc libraries. # EXPERIMENTAL_DMARC=yes diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index 0bb97a231..ba4615c11 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -41,6 +41,8 @@ it's a default value. */ #define DELIVER_IN_BUFFER_SIZE 8192 #define DELIVER_OUT_BUFFER_SIZE 8192 #define DISABLE_DKIM +#define DISABLE_PRDR +#define DISABLE_OCSP #define DISABLE_DNSSEC #define DISABLE_D_OPTION @@ -169,7 +171,6 @@ it's a default value. */ #define EXPERIMENTAL_DCC #define EXPERIMENTAL_DMARC #define EXPERIMENTAL_DSN -#define EXPERIMENTAL_OCSP #define EXPERIMENTAL_PROXY #define EXPERIMENTAL_REDIS #define EXPERIMENTAL_SPF diff --git a/src/src/deliver.c b/src/src/deliver.c index 68c04877e..70f6a7a21 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -3019,7 +3019,7 @@ while (!done) (void) tls_import_cert(ptr, &addr->ourcert); break; - #ifdef EXPERIMENTAL_OCSP + #ifndef DISABLE_OCSP case '4': addr->ocsp = OCSP_NOT_REQ; if (*ptr) @@ -4167,7 +4167,7 @@ for (delivery_count = 0; addr_remote != NULL; delivery_count++) *ptr++ = 0; rmt_dlv_checked_write(fd, big_buffer, ptr - big_buffer); } - # ifdef EXPERIMENTAL_OCSP + #ifndef DISABLE_OCSP if (addr->ocsp > OCSP_NOT_REQ) { ptr = big_buffer; diff --git a/src/src/exim.c b/src/src/exim.c index 1435a0ac4..517b5435e 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -808,6 +808,9 @@ fprintf(f, "Support for:"); #ifndef DISABLE_PRDR fprintf(f, " PRDR"); #endif +#ifndef DISABLE_OCSP + fprintf(f, " OCSP"); +#endif #ifdef EXPERIMENTAL_SPF fprintf(f, " Experimental_SPF"); #endif @@ -823,9 +826,6 @@ fprintf(f, "Support for:"); #ifdef EXPERIMENTAL_DMARC fprintf(f, " Experimental_DMARC"); #endif -#ifdef EXPERIMENTAL_OCSP - fprintf(f, " Experimental_OCSP"); -#endif #ifdef EXPERIMENTAL_PROXY fprintf(f, " Experimental_Proxy"); #endif diff --git a/src/src/globals.c b/src/src/globals.c index f8166aadf..b3d2ab8c5 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -150,7 +150,7 @@ that's the interop problem which has been observed: GnuTLS suggesting a higher bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */ int tls_dh_max_bits = 2236; uschar *tls_dhparam = NULL; -#if defined(EXPERIMENTAL_OCSP) +#ifndef DISABLE_OCSP uschar *tls_ocsp_file = NULL; #endif BOOL tls_offered = FALSE; diff --git a/src/src/globals.h b/src/src/globals.h index c2ab99b9c..cf9b61eff 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -114,7 +114,7 @@ extern uschar *tls_channelbinding_b64; /* string of base64 channel binding */ extern uschar *tls_crl; /* CRL File */ extern int tls_dh_max_bits; /* don't accept higher lib suggestions */ extern uschar *tls_dhparam; /* DH param file */ -#if defined(EXPERIMENTAL_OCSP) +#ifndef DISABLE_OCSP extern uschar *tls_ocsp_file; /* OCSP stapling proof file */ #endif extern BOOL tls_offered; /* Server offered TLS */ diff --git a/src/src/readconf.c b/src/src/readconf.c index 11f7184a6..fb1476365 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -439,7 +439,7 @@ static optionlist optionlist_config[] = { { "tls_crl", opt_stringptr, &tls_crl }, { "tls_dh_max_bits", opt_int, &tls_dh_max_bits }, { "tls_dhparam", opt_stringptr, &tls_dhparam }, -# if defined(EXPERIMENTAL_OCSP) +# ifndef DISABLE_OCSP { "tls_ocsp_file", opt_stringptr, &tls_ocsp_file }, # endif { "tls_on_connect_ports", opt_stringptr, &tls_in.on_connect_ports }, diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index af43686e4..e85095d65 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -43,7 +43,7 @@ require current GnuTLS, then we'll drop support for the ancient libraries). #if GNUTLS_VERSION_NUMBER >= 0x020c00 # include #endif -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP # include #endif @@ -216,7 +216,7 @@ static void exim_gnutls_logger_cb(int level, const char *message); static int exim_sni_handling_cb(gnutls_session_t session); -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, gnutls_datum_t * ocsp_response); #endif @@ -809,7 +809,7 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate) /* Set the OCSP stapling server info */ -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if ( !host /* server */ && tls_ocsp_file ) @@ -1485,7 +1485,7 @@ return 0; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, @@ -1705,7 +1705,7 @@ smtp_transport_options_block *ob = v_ob; int rc; const char *error; exim_gnutls_state_st *state = NULL; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, NULL, host->name, host->address, NULL) == OK; BOOL request_ocsp = require_ocsp ? TRUE @@ -1787,7 +1787,8 @@ else gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE); } -#ifdef EXPERIMENTAL_OCSP /* since GnuTLS 3.1.3 */ +#ifndef DISABLE_OCSP + /* supported since GnuTLS 3.1.3 */ if (request_ocsp) { DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n"); @@ -1827,7 +1828,7 @@ if (state->verify_requirement != VERIFY_NONE && !verify_certificate(state, &error)) return tls_error(US"certificate verification failed", error, state->host); -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if (require_ocsp) { DEBUG(D_tls) diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 1d6b91470..05af3db88 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -22,13 +22,13 @@ functions from the OpenSSL library. */ #include #include #include -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP # include #endif -#ifdef EXPERIMENTAL_OCSP -#define EXIM_OCSP_SKEW_SECONDS (300L) -#define EXIM_OCSP_MAX_AGE (-1L) +#ifndef DISABLE_OCSP +# define EXIM_OCSP_SKEW_SECONDS (300L) +# define EXIM_OCSP_MAX_AGE (-1L) #endif #if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT) @@ -88,7 +88,7 @@ static BOOL reexpand_tls_files_for_sni = FALSE; typedef struct tls_ext_ctx_cb { uschar *certificate; uschar *privatekey; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP BOOL is_server; union { struct { @@ -127,7 +127,7 @@ setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL opt #ifdef EXIM_HAVE_OPENSSL_TLSEXT static int tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg); #endif -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP static int tls_server_stapling_cb(SSL *s, void *arg); #endif @@ -213,7 +213,7 @@ return rsa_key; /* Extreme debug -#if defined(EXPERIMENTAL_OCSP) +#ifndef DISABLE_OCSP void x509_store_dump_cert_s_names(X509_STORE * store) { @@ -295,7 +295,7 @@ else if (X509_STORE_CTX_get_error_depth(x509ctx) != 0) { DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n", X509_STORE_CTX_get_error_depth(x509ctx), txt); -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store) { /* client, wanting stapling */ /* Add the server cert's signing chain as the one @@ -486,7 +486,7 @@ return TRUE; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP /************************************************* * Load OCSP information into state * *************************************************/ @@ -620,7 +620,7 @@ bad: } return; } -#endif /*EXPERIMENTAL_OCSP*/ +#endif /*!DISABLE_OCSP*/ @@ -682,7 +682,7 @@ if (expanded != NULL && *expanded != 0) "SSL_CTX_use_PrivateKey_file file=%s", expanded), cbinfo->host, NULL); } -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL) { if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded)) @@ -772,7 +772,7 @@ SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb); SSL_CTX_set_tlsext_servername_arg(server_sni, cbinfo); if (cbinfo->server_cipher_list) SSL_CTX_set_cipher_list(server_sni, CS cbinfo->server_cipher_list); -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if (cbinfo->u_ocsp.server.file) { SSL_CTX_set_tlsext_status_cb(server_sni, tls_server_stapling_cb); @@ -801,7 +801,7 @@ return SSL_TLSEXT_ERR_OK; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP /************************************************* * Callback to handle OCSP Stapling * @@ -985,7 +985,7 @@ if(!(bs = OCSP_response_get1_basic(rsp))) OCSP_RESPONSE_free(rsp); return i; } -#endif /*EXPERIMENTAL_OCSP*/ +#endif /*!DISABLE_OCSP*/ @@ -1011,7 +1011,7 @@ Returns: OK/DEFER/FAIL static int tls_init(SSL_CTX **ctxp, host_item *host, uschar *dhparam, uschar *certificate, uschar *privatekey, -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP uschar *ocsp_file, #endif address_item *addr, tls_ext_ctx_cb ** cbp) @@ -1024,7 +1024,7 @@ tls_ext_ctx_cb *cbinfo; cbinfo = store_malloc(sizeof(tls_ext_ctx_cb)); cbinfo->certificate = certificate; cbinfo->privatekey = privatekey; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP if ((cbinfo->is_server = host==NULL)) { cbinfo->u_ocsp.server.file = ocsp_file; @@ -1126,7 +1126,7 @@ if (rc != OK) return rc; #ifdef EXIM_HAVE_OPENSSL_TLSEXT if (host == NULL) /* server */ { -# ifdef EXPERIMENTAL_OCSP +# ifndef DISABLE_OCSP /* We check u_ocsp.server.file, not server.response, because we care about if the option exists, not what the current expansion might be, as SNI might change the certificate and OCSP file in use between now and the time the @@ -1142,7 +1142,7 @@ if (host == NULL) /* server */ SSL_CTX_set_tlsext_servername_callback(*ctxp, tls_servername_cb); SSL_CTX_set_tlsext_servername_arg(*ctxp, cbinfo); } -# ifdef EXPERIMENTAL_OCSP +# ifndef DISABLE_OCSP else /* client */ if(ocsp_file) /* wanting stapling */ { @@ -1379,7 +1379,7 @@ if (tls_in.active >= 0) the error. */ rc = tls_init(&server_ctx, NULL, tls_dhparam, tls_certificate, tls_privatekey, -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP tls_ocsp_file, #endif NULL, &server_static_cbinfo); @@ -1549,7 +1549,7 @@ uschar *expciphers; X509* server_cert; int rc; static uschar cipherbuf[256]; -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, NULL, host->name, host->address, NULL) == OK; BOOL request_ocsp = require_ocsp ? TRUE @@ -1559,7 +1559,7 @@ BOOL request_ocsp = require_ocsp ? TRUE rc = tls_init(&client_ctx, host, NULL, ob->tls_certificate, ob->tls_privatekey, -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP (void *)(long)request_ocsp, #endif addr, &client_static_cbinfo); @@ -1647,7 +1647,7 @@ if (ob->tls_sni) } } -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP /* Request certificate status at connection-time. If the server does OCSP stapling we will get the callback (set in tls_init()) */ if (request_ocsp) diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 38dcfa080..db424fa61 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -102,14 +102,14 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, hosts_override) }, { "hosts_randomize", opt_bool, (void *)offsetof(smtp_transport_options_block, hosts_randomize) }, -#if defined(SUPPORT_TLS) && defined(EXPERIMENTAL_OCSP) +#if defined(SUPPORT_TLS) && !defined(DISABLE_OCSP) { "hosts_request_ocsp", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_request_ocsp) }, #endif { "hosts_require_auth", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_require_auth) }, #ifdef SUPPORT_TLS -# if defined EXPERIMENTAL_OCSP +# ifndef DISABLE_OCSP { "hosts_require_ocsp", opt_stringptr, (void *)offsetof(smtp_transport_options_block, hosts_require_ocsp) }, # endif @@ -203,7 +203,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { #ifndef DISABLE_PRDR NULL, /* hosts_try_prdr */ #endif -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP US"*", /* hosts_request_ocsp */ NULL, /* hosts_require_ocsp */ #endif diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index a481943bb..dd41e1f15 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -24,7 +24,7 @@ typedef struct { #ifndef DISABLE_PRDR uschar *hosts_try_prdr; #endif -#ifdef EXPERIMENTAL_OCSP +#ifndef DISABLE_OCSP uschar *hosts_request_ocsp; uschar *hosts_require_ocsp; #endif diff --git a/test/scripts/5600-OCSP-OpenSSL/REQUIRES b/test/scripts/5600-OCSP-OpenSSL/REQUIRES index 3d15ede9e..73788d383 100644 --- a/test/scripts/5600-OCSP-OpenSSL/REQUIRES +++ b/test/scripts/5600-OCSP-OpenSSL/REQUIRES @@ -1,3 +1,3 @@ support OpenSSL -support Experimental_OCSP +support OCSP running IPv4 diff --git a/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES b/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES index 77fbd5bba..492da8f2c 100644 --- a/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES +++ b/test/scripts/5608-OCSP-OpenSSL-TPDA/REQUIRES @@ -1,4 +1,4 @@ support OpenSSL -support Experimental_OCSP +support OCSP support Experimental_TPDA running IPv4 diff --git a/test/scripts/5650-OCSP-GnuTLS/REQUIRES b/test/scripts/5650-OCSP-GnuTLS/REQUIRES index 78746cac4..70ce2de51 100644 --- a/test/scripts/5650-OCSP-GnuTLS/REQUIRES +++ b/test/scripts/5650-OCSP-GnuTLS/REQUIRES @@ -1,3 +1,3 @@ support GnuTLS -support Experimental_OCSP +support OCSP running IPv4 diff --git a/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES b/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES index 2650bd997..379807959 100644 --- a/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES +++ b/test/scripts/5658-OCSP-GnuTLS-TPDA/REQUIRES @@ -1,4 +1,4 @@ support GnuTLS -support Experimental_OCSP +support OCSP support Experimental_TPDA running IPv4 -- 2.30.2