X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;ds=sidebyside;f=src%2Fsrc%2Ftls-openssl.c;h=01622560f366c8613b7351bdcfebcd3ba9ee970b;hb=refs%2Fheads%2Ffix_isis_typos;hp=96be7c4a20ba9dba77255dd866c7696042e23afd;hpb=42f1855e94bd87f98bc6c74255be53ed6d805ba6;p=user%2Fhenk%2Fcode%2Fexim.git

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 96be7c4a2..01622560f 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -711,7 +711,7 @@ OpenSSL >= 1.1.0: we do not set anything, the libray does autoselection
 */
 
 static uschar *
-init_ecdh_auto(SSL_CTX * ctx)
+init_ecdh_auto(SSL_CTX * sctx)
 {
 #if OPENSSL_VERSION_NUMBER < 0x10002000L
 DEBUG(D_tls) debug_printf(
@@ -1001,7 +1001,7 @@ Returns:    nothing
 */
 
 static void
-info_callback(SSL * s, int where, int ret)
+info_callback(const SSL * s, int where, int ret)
 {
 DEBUG(D_tls)
   {
@@ -1192,6 +1192,8 @@ else
     uschar * name;
     int rc;
     while ((name = string_nextinlist(&list, &sep, NULL, 0)))
+      {
+      DEBUG(D_tls|D_lookup) debug_printf_indent("%s suitable for cert, per OpenSSL?", name);
       if ((rc = X509_check_host(cert, CCS name, 0,
 		  X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
 		  | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
@@ -1203,8 +1205,11 @@ else
 	    tlsp == &tls_out ? deliver_host_address : sender_host_address);
 	  name = NULL;
 	  }
+	DEBUG(D_tls|D_lookup) debug_printf_indent("  yes\n");
 	break;
 	}
+      else DEBUG(D_tls|D_lookup) debug_printf_indent("  no\n");
+      }
     if (!name)
 #else
     if (!tls_is_name_for_cert(verify_cert_hostnames, cert))
@@ -1433,7 +1438,7 @@ SNI handling.
 
 Separately we might try to replace using OCSP_basic_verify() - which seems to not
 be a public interface into the OpenSSL library (there's no manual entry) -
-(in 3.0.0 + is is public)
+(in 3.0.0 + it is public)
 But what with?  We also use OCSP_basic_verify in the client stapling callback.
 And there we NEED it; we must verify that status... unless the
 library does it for us anyway?  */
@@ -1750,13 +1755,13 @@ level. */
 
 DEBUG(D_tls)
   {
-  SSL_CTX_set_info_callback(ctx, (void (*)())info_callback);
+  SSL_CTX_set_info_callback(ctx, info_callback);
 #if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
   /* this needs a debug build of OpenSSL */
-  SSL_CTX_set_msg_callback(ctx, (void (*)())SSL_trace);
+  SSL_CTX_set_msg_callback(ctx, SSL_trace);
 #endif
 #ifdef OPENSSL_HAVE_KEYLOG_CB
-  SSL_CTX_set_keylog_callback(ctx, (void (*)())keylog_callback);
+  SSL_CTX_set_keylog_callback(ctx, keylog_callback);
 #endif
   }
 
@@ -2399,7 +2404,7 @@ for (int pos = 0, siz; pos < inlen; pos += siz+1)
   if (pos + 1 + siz > inlen) siz = inlen - pos - 1;
   g = string_append_listele_n(g, ':', in + pos + 1, siz);
   }
-log_write(0, LOG_MAIN, "TLS ALPN (%s) rejected", string_from_gstring(g));
+log_write(0, LOG_MAIN, "TLS ALPN (%Y) rejected", g);
 gstring_release_unused(g);
 return SSL_TLSEXT_ERR_ALERT_FATAL;
 }
@@ -4527,10 +4532,15 @@ switch(error)
 
   /* Handle genuine errors */
   case SSL_ERROR_SSL:
+    {
+    uschar * conn_info = smtp_get_connection_info();
+    if (Ustrncmp(conn_info, US"SMTP ", 5) == 0) conn_info += 5;
+    /* I'd like to get separated H= here, but too hard for now */
     ERR_error_string_n(ERR_get_error(), ssl_errstring, sizeof(ssl_errstring));
-    log_write(0, LOG_MAIN, "TLS error (SSL_read): %s", ssl_errstring);
+    log_write(0, LOG_MAIN, "TLS error (SSL_read): on %s %s", conn_info, ssl_errstring);
     ssl_xfer_error = TRUE;
     return FALSE;
+    }
 
   default:
     DEBUG(D_tls) debug_printf("Got SSL error %d\n", error);