* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
/* See the file NOTICE for conditions of use and distribution. */
/* Portions Copyright (c) The OpenSSL Project 1999 */
yet reflect that. It should be a safe change anyway, even 0.9.8 versions have
the accessor functions use const in the prototype. */
const SSL_CIPHER *c;
-uschar *ver;
+const uschar *ver;
-switch (ssl->session->ssl_version)
- {
- case SSL2_VERSION:
- ver = US"SSLv2";
- break;
-
- case SSL3_VERSION:
- ver = US"SSLv3";
- break;
-
- case TLS1_VERSION:
- ver = US"TLSv1";
- break;
-
-#ifdef TLS1_1_VERSION
- case TLS1_1_VERSION:
- ver = US"TLSv1.1";
- break;
-#endif
-
-#ifdef TLS1_2_VERSION
- case TLS1_2_VERSION:
- ver = US"TLSv1.2";
- break;
-#endif
-
- default:
- ver = US"UNKNOWN";
- }
+ver = (const uschar *)SSL_get_version(ssl);
c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
SSL_CIPHER_get_bits(c, bits);
dh_min_bits minimum number of bits acceptable in server's DH prime
(unused in OpenSSL)
timeout startup timeout
+ verify_hosts mandatory client verification
+ try_verify_hosts optional client verification
Returns: OK on success
FAIL otherwise - note that tls_error() will not give DEFER
#ifdef EXPERIMENTAL_OCSP
uschar *hosts_require_ocsp,
#endif
- int dh_min_bits ARG_UNUSED, int timeout)
+ int dh_min_bits ARG_UNUSED, int timeout,
+ uschar *verify_hosts, uschar *try_verify_hosts)
{
static uschar txt[256];
uschar *expciphers;
return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
}
-rc = setup_certs(client_ctx, verify_certs, crl, host, FALSE, verify_callback_client);
-if (rc != OK) return rc;
+/* stick to the old behaviour for compatibility if tls_verify_certificates is
+ set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
+ the specified host patterns if one of them is defined */
+if (((verify_hosts == NULL) && (try_verify_hosts == NULL)) ||
+ (verify_check_host(&verify_hosts) == OK))
+ {
+ rc = setup_certs(client_ctx, verify_certs, crl, host, FALSE, verify_callback_client);
+ if (rc != OK) return rc;
+ client_verify_optional = FALSE;
+ }
+else if (verify_check_host(&try_verify_hosts) == OK)
+ {
+ rc = setup_certs(client_ctx, verify_certs, crl, host, TRUE, verify_callback_client);
+ if (rc != OK) return rc;
+ client_verify_optional = TRUE;
+ }
if ((client_ssl = SSL_new(client_ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));
it can result in serious failures, including crashing with a SIGSEGV. So
report the version found by the compiler and the run-time version.
+Note: some OS vendors backport security fixes without changing the version
+number/string, and the version date remains unchanged. The _build_ date
+will change, so we can more usefully assist with version diagnosis by also
+reporting the build date.
+
Arguments: a FILE* to print the results to
Returns: nothing
*/
tls_version_report(FILE *f)
{
fprintf(f, "Library version: OpenSSL: Compile: %s\n"
- " Runtime: %s\n",
+ " Runtime: %s\n"
+ " : %s\n",
OPENSSL_VERSION_TEXT,
- SSLeay_version(SSLEAY_VERSION));
+ SSLeay_version(SSLEAY_VERSION),
+ SSLeay_version(SSLEAY_BUILT_ON));
+/* third line is 38 characters for the %s and the line is 73 chars long;
+the OpenSSL output includes a "built on: " prefix already. */
}
to apply.
This list is current as of:
- ==> 1.0.1b <== */
+ ==> 1.0.1b <==
+Plus SSL_OP_SAFARI_ECDHE_ECDSA_BUG from 2013-June patch/discussion on openssl-dev
+*/
static struct exim_openssl_option exim_openssl_options[] = {
/* KEEP SORTED ALPHABETICALLY! */
#ifdef SSL_OP_ALL
#ifdef SSL_OP_NO_TLSv1_2
{ US"no_tlsv1_2", SSL_OP_NO_TLSv1_2 },
#endif
+#ifdef SSL_OP_SAFARI_ECDHE_ECDSA_BUG
+ { US"safari_ecdhe_ecdsa_bug", SSL_OP_SAFARI_ECDHE_ECDSA_BUG },
+#endif
#ifdef SSL_OP_SINGLE_DH_USE
{ US"single_dh_use", SSL_OP_SINGLE_DH_USE },
#endif