X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Ftls-openssl.c;h=0d653a445bc44bce46f44b79e0255a69ba2ad08a;hb=2130e492c2cda886d74abbb77df4493f151e0a44;hp=b0b99779d460fca42f73cc2d4cfa00eb48f40865;hpb=97a60b65cd60d34c9717c698efbdff9332aa4f1b;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index b0b99779d..0d653a445 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -704,12 +704,12 @@ if (Ustrcmp(exp_curve, "auto") == 0) #else # if defined SSL_CTRL_SET_ECDH_AUTO DEBUG(D_tls) debug_printf( - "ECDH OpenSSL 1.0.2+ temp key parameter settings: autoselection\n"); + "ECDH OpenSSL 1.0.2+: temp key parameter settings: autoselection\n"); SSL_CTX_set_ecdh_auto(sctx, 1); return TRUE; # else DEBUG(D_tls) debug_printf( - "ECDH OpenSSL 1.1.0+ temp key parameter settings: default selection\n"); + "ECDH OpenSSL 1.1.0+: temp key parameter settings: default selection\n"); return TRUE; # endif #endif @@ -794,6 +794,9 @@ return rsa_key; /* Create and install a selfsigned certificate, for use in server mode */ +/*XXX we could arrange to call this during prelo for a null tls_certificate option. +The normal cache inval + relo will suffice. +Just need a timer for inval. */ static int tls_install_selfsign(SSL_CTX * sctx, uschar ** errstr) @@ -804,6 +807,7 @@ RSA * rsa; X509_NAME * name; uschar * where; +DEBUG(D_tls) debug_printf("TLS: generating selfsigned server cert\n"); where = US"allocating pkey"; if (!(pkey = EVP_PKEY_new())) goto err; @@ -823,7 +827,7 @@ if (!EVP_PKEY_assign_RSA(pkey, rsa)) X509_set_version(x509, 2); /* N+1 - version 3 */ ASN1_INTEGER_set(X509_get_serialNumber(x509), 1); X509_gmtime_adj(X509_get_notBefore(x509), 0); -X509_gmtime_adj(X509_get_notAfter(x509), (long)60 * 60); /* 1 hour */ +X509_gmtime_adj(X509_get_notAfter(x509), (long)2 * 60 * 60); /* 2 hour */ X509_set_pubkey(x509, pkey); name = X509_get_subject_name(x509); @@ -1619,18 +1623,19 @@ return OK; } -static void +static unsigned tls_server_creds_init(void) { SSL_CTX * ctx; uschar * dummy_errstr; +unsigned lifetime = 0; tls_openssl_init(); state_server.lib_state = null_tls_preload; if (lib_ctx_new(&ctx, NULL, &dummy_errstr) != OK) - return; + return 0; state_server.lib_state.lib_ctx = ctx; /* Preload DH params and EC curve */ @@ -1648,7 +1653,7 @@ if (opt_unset_or_noexpand(tls_eccurve)) state_server.lib_state.ecdh = TRUE; } -#ifdef EXIM_HAVE_INOTIFY +#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT) /* If we can, preload the server-side cert, key and ocsp */ if ( opt_set_and_noexpand(tls_certificate) @@ -1658,8 +1663,7 @@ if ( opt_set_and_noexpand(tls_certificate) && opt_unset_or_noexpand(tls_privatekey)) { /* Set watches on the filenames. The implementation does de-duplication - so we can just blindly do them all. - */ + so we can just blindly do them all. */ if ( tls_set_watch(tls_certificate, TRUE) # ifndef DISABLE_OCSP @@ -1678,6 +1682,18 @@ if ( opt_set_and_noexpand(tls_certificate) state_server.lib_state.conn_certs = TRUE; } } +else if ( !tls_certificate && !tls_privatekey +# ifndef DISABLE_OCSP + && !tls_ocsp_file +#endif + ) + { /* Generate & preload a selfsigned cert. No files to watch. */ + if (tls_expand_session_files(ctx, &state_server, &dummy_errstr) == OK) + { + state_server.lib_state.conn_certs = TRUE; + lifetime = f.running_in_test_harness ? 2 : 60 * 60; /* 1 hour */ + } + } else DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n"); @@ -1718,6 +1734,7 @@ if (opt_set_and_noexpand(tls_require_ciphers)) } else DEBUG(D_tls) debug_printf("TLS: not preloading cipher list for server\n"); +return lifetime; } @@ -1759,7 +1776,7 @@ if (opt_unset_or_noexpand(tls_eccurve)) ob->tls_preload.ecdh = TRUE; } -#ifdef EXIM_HAVE_INOTIFY +#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT) if ( opt_set_and_noexpand(ob->tls_certificate) && opt_unset_or_noexpand(ob->tls_privatekey)) { @@ -1812,7 +1829,7 @@ else } -#ifdef EXIM_HAVE_INOTIFY +#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT) /* Invalidate the creds cached, by dropping the current ones. Call when we notice one of the source files has changed. */ @@ -4130,6 +4147,8 @@ int *fdp = o_ctx ? &tls_out.active.sock : &tls_in.active.sock; if (*fdp < 0) return; /* TLS was not active */ +tls_write(ct_ctx, NULL, 0, FALSE); /* flush write buffer */ + if (shutdown) { int rc;