Viktor Dukhovni: > On Wed, Jun 17, 2020 at 06:05:44PM +0300, Thorsten Habich wrote: > > > unfortunatelly I ran into a but when trying to use the connection_reuse > > parameter in a TLS policy maps file. > > Attached you can find a patch, to get this option running. > > Thanks for the patch, indeed the "continue" is needed. > > > --- src/smtp/smtp_tls_policy.c 2018-12-26 20:21:49.000000000 +0100 > > +++ src/smtp/smtp_tls_policy.c.new 2020-06-12 14:44:28.740591359 +0200 > > @@ -389,6 +389,7 @@ > > WHERE, name, val); > > INVALID_RETURN(tls->why, site_level); > > } > > + continue; > > } > > msg_warn("%s: invalid attribute name: \"%s\"", WHERE, name); > > INVALID_RETURN(tls->why, site_level); > > > > P.S.: I think smtp_tls_connection_reuse=yes in combination with tafile > > is broken. > > I think you're saying that per-connection trust-anchors are not > supported by the tlsproxy. That sounds plausible. The "tafile" is > internally converted to a set of synthetic "DANE-TA(2)" records, > that are used for validation with "secure/verify" instead of the > global CAfile/CApath. I don't think these are carried along with > the tlsproxy protocol.
I put in a lot of work to ship an entire christmas tree of attributes, including: ret = print_fn(fp, flags | ATTR_FLAG_MORE, SEND_ATTR_FUNC(tls_proxy_client_tlsa_print, (void *) dane->ta), SEND_ATTR_FUNC(tls_proxy_client_tlsa_print, (void *) dane->ee), SEND_ATTR_FUNC(tls_proxy_client_certs_print, (void *) dane->certs), SEND_ATTR_FUNC(tls_proxy_client_pkeys_print, (void *) dane->pkeys), SEND_ATTR_STR(TLS_ATTR_DOMAIN, STRING_OR_EMPTY(dane->base_domain)), SEND_ATTR_INT(TLS_ATTR_FLAGS, dane->flags), SEND_ATTR_LONG(TLS_ATTR_EXP, dane->expires), ATTR_TYPE_END); It would be bad if that work was done for naught. Wietse > There's some internal refactoring I should do in any case that > would make it easier to support these with connection reuse. > > Ideally, we could drop (e.g. in Postfix 3.6) for OpenSSL 1.0.x, and > require 1.1.0 or later. Then it would make sense to refactor to use the > built-in DANE support in OpenSSL (a tidier reworked version of the code > originally in Postfix), and with that make sure that "tafile" works as > expected with TLS connection reuse. > > -- > Viktor. >