diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-05-07 22:55:41 +0100 |
|---|---|---|
| committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2019-09-29 00:29:28 +0200 |
| commit | 4f75aba203cb7051d757f9d7d927988ec7989735 (patch) | |
| tree | ddc7dde4571f65baf7a83a1067589975caa3644b | |
| parent | 77e234bdc738aeba5e7e944af366b1035ec4e583 (diff) | |
| download | exim4-4f75aba203cb7051d757f9d7d927988ec7989735.tar.gz | |
GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp
(cherry picked from commit 7a501c874f028f689c44999ab05bb0d39da46941)
(cherry picked from commit 5e64b73ef7cdaf20b998b3345a588b462fd30bfb)
(cherry picked from commit 31700e5410af3d27654ff0a32c20d30b1a1e10c3)
(cherry picked from commit 6712694eae57a7d3544c6f0d8a6c03cd246fdb48)
| -rw-r--r-- | doc/doc-txt/ChangeLog | 3 | ||||
| -rw-r--r-- | src/src/tls-gnu.c | 12 | ||||
| -rw-r--r-- | test/log/5651 | 2 | ||||
| -rw-r--r-- | test/log/5730 | 8 |
4 files changed, 16 insertions, 9 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 445755dc6..00795fb83 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -65,6 +65,9 @@ JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks This affects log line X= elements, the $tls_{in,out}_cipher variables, and the use of specific cipher names in the encrypted= ACL condition. +JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the + verification result was not updated unless hosts_require_ocsp applied. + Exim version 4.92 ----------------- diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index af815d224..746eabfde 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -2491,7 +2491,7 @@ if (!verify_certificate(state, errstr)) } #ifndef DISABLE_OCSP -if (require_ocsp) +if (request_ocsp) { DEBUG(D_tls) { @@ -2515,10 +2515,14 @@ if (require_ocsp) { tlsp->ocsp = OCSP_FAILED; tls_error(US"certificate status check failed", NULL, state->host, errstr); - return NULL; + if (require_ocsp) + return FALSE; + } + else + { + DEBUG(D_tls) debug_printf("Passed OCSP checking\n"); + tlsp->ocsp = OCSP_VFIED; } - DEBUG(D_tls) debug_printf("Passed OCSP checking\n"); - tlsp->ocsp = OCSP_VFIED; } #endif diff --git a/test/log/5651 b/test/log/5651 index da0eb165e..611e51f34 100644 --- a/test/log/5651 +++ b/test/log/5651 @@ -16,7 +16,7 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp) +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 3 (failed) 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed diff --git a/test/log/5730 b/test/log/5730 index 3f2da5fda..bf8ad5dc7 100644 --- a/test/log/5730 +++ b/test/log/5730 @@ -1,10 +1,10 @@ 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmaX-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmaY-0005vi-00" -1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmaX-0005vi-00 client ocsp status: 3 (failed) 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmaZ-0005vi-00 => norequire@test.ex R=client T=send_to_server2 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00" -1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 1 (notresp) +1999-03-02 09:44:33 10HmaZ-0005vi-00 client ocsp status: 4 (verified) 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@server1.example.com U=CALLER P=local S=sss 1999-03-02 09:44:33 10HmbB-0005vi-00 => nostaple@test.ex R=client T=send_to_server1 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00" @@ -26,12 +26,12 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 1 (notresp) +1999-03-02 09:44:33 10HmaY-0005vi-00 client claims: OCSP status 3 (failed) 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmaY-0005vi-00 => :blackhole: <norequire@test.ex> R=server 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 1 (notresp) +1999-03-02 09:44:33 10HmbA-0005vi-00 client claims: OCSP status 4 (verified) 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@server1.example.com H=the.local.host.name (server1.example.com) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@server1.example.com 1999-03-02 09:44:33 10HmbA-0005vi-00 => :blackhole: <norequire@test.ex> R=server 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed |