openssl: ignore unexpected EOF + only 1 session ticket

2 files changed, 6 insertions, 0 deletions

diff --git a/qmail-remote.c b/qmail-remote.c
index d0f2fc3..125d813 100644
--- a/qmail-remote.c
+++ b/qmail-remote.c
@@ -470,6 +470,8 @@ static int tls_init(struct ip_mx *current_mx)
   SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
   /* TLS renegotiation is possible cpu resource attack */
   SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
+  /* SMTP does not suffer from truncation attacks due to its application framing */
+  SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
 
   /* we verify ourself below. see SSL_get_verify_result */
   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index d97dfc5..d02452f 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -1336,6 +1336,10 @@ void tls_init()
                            SSL_OP_PRIORITIZE_CHACHA);
   /* TLS renegotiation is possible cpu resource attack */
   SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
+  /* SMTP does not suffer from truncation attacks due to its application framing */
+  SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+  /* reduce to one ticket */
+  SSL_CTX_set_num_tickets(ctx, 1);
 
   /* set the callback here; SSL_set_verify didn't work before 0.9.6c */
   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb);