X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/73a4670220991e000cc31a60fc90264cf12bd981..0e944a0d8501ebf6ff71c652a48bd38b984f4450:/src/src/tls-openssl.c diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index e01edc008..5ea41d692 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/tls-openssl.c,v 1.27 2010/06/07 00:12:42 pdp Exp $ */ +/* $Cambridge: exim/src/src/tls-openssl.c,v 1.28 2010/06/12 17:56:32 jetmore Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -438,7 +438,10 @@ static void construct_cipher_name(SSL *ssl) { static uschar cipherbuf[256]; -SSL_CIPHER *c; +/* With OpenSSL 1.0.0a, this needs to be const but the documentation doesn't +yet reflect that. It should be a safe change anyway, even 0.9.8 versions have +the accessor functions use const in the prototype. */ +const SSL_CIPHER *c; uschar *ver; int bits; @@ -460,7 +463,7 @@ switch (ssl->session->ssl_version) ver = US"UNKNOWN"; } -c = SSL_get_current_cipher(ssl); +c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl); SSL_CIPHER_get_bits(c, &bits); string_format(cipherbuf, sizeof(cipherbuf), "%s:%s:%u", ver, @@ -714,7 +717,7 @@ if (rc <= 0) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL); if (ERR_get_error() == 0) log_write(0, LOG_MAIN, - " => client disconnected cleanly (rejected our certificate?)\n"); + "TLS client disconnected cleanly (rejected our certificate?)"); return FAIL; } @@ -1078,8 +1081,10 @@ Returns: nothing void tls_version_report(FILE *f) { -fprintf(f, "OpenSSL compile-time version: %s\n", OPENSSL_VERSION_TEXT); -fprintf(f, "OpenSSL runtime version: %s\n", SSLeay_version(SSLEAY_VERSION)); +fprintf(f, "Library version: OpenSSL: Compile: %s\n" + " Runtime: %s\n", + OPENSSL_VERSION_TEXT, + SSLeay_version(SSLEAY_VERSION)); } @@ -1175,7 +1180,7 @@ all options unless explicitly for DTLS, let the administrator choose which to apply. This list is current as of: - ==> 0.9.8n <== */ + ==> 1.0.0c <== */ static struct exim_openssl_option exim_openssl_options[] = { /* KEEP SORTED ALPHABETICALLY! */ #ifdef SSL_OP_ALL @@ -1214,6 +1219,18 @@ static struct exim_openssl_option exim_openssl_options[] = { #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION { US"no_session_resumption_on_renegotiation", SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION }, #endif +#ifdef SSL_OP_NO_SSLv2 + { US"no_sslv2", SSL_OP_NO_SSLv2 }, +#endif +#ifdef SSL_OP_NO_SSLv3 + { US"no_sslv3", SSL_OP_NO_SSLv3 }, +#endif +#ifdef SSL_OP_NO_TICKET + { US"no_ticket", SSL_OP_NO_TICKET }, +#endif +#ifdef SSL_OP_NO_TLSv1 + { US"no_tlsv1", SSL_OP_NO_TLSv1 }, +#endif #ifdef SSL_OP_SINGLE_DH_USE { US"single_dh_use", SSL_OP_SINGLE_DH_USE }, #endif @@ -1286,11 +1303,10 @@ uschar *s, *end; uschar keep_c; BOOL adding, item_parsed; +result = 0L; /* We grandfather in as default the one option which we used to set always. */ #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS -result = SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; -#else -result = 0L; +result |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; #endif if (option_spec == NULL) @@ -1307,7 +1323,7 @@ for (s=option_spec; *s != '\0'; /**/) if (*s != '+' && *s != '-') { DEBUG(D_tls) debug_printf("malformed openssl option setting: " - "+ or - expected but found \"%s\"", s); + "+ or - expected but found \"%s\"\n", s); return FALSE; } adding = *s++ == '+'; @@ -1317,7 +1333,7 @@ for (s=option_spec; *s != '\0'; /**/) item_parsed = tls_openssl_one_option_parse(s, &item); if (!item_parsed) { - DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"", s); + DEBUG(D_tls) debug_printf("openssl option setting unrecognised: \"%s\"\n", s); return FALSE; } DEBUG(D_tls) debug_printf("openssl option, %s from %lx: %lx (%s)\n",