From 0799f399b169e81bba6f6470d1bff340f83b1b42 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Thu, 10 Aug 2023 13:19:42 +0200
Subject: openssl: ignore unexpected EOF + only 1 session ticket

---
 qmail-remote.c | 2 ++
 qmail-smtpd.c  | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/qmail-remote.c b/qmail-remote.c
index d0f2fc3..125d813 100644
--- a/qmail-remote.c
+++ b/qmail-remote.c
@@ -470,6 +470,8 @@ static int tls_init(struct ip_mx *current_mx)
   SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION);
   /* TLS renegotiation is possible cpu resource attack */
   SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
+  /* SMTP does not suffer from truncation attacks due to its application framing */
+  SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
 
   /* we verify ourself below. see SSL_get_verify_result */
   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index d97dfc5..d02452f 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -1336,6 +1336,10 @@ void tls_init()
                            SSL_OP_PRIORITIZE_CHACHA);
   /* TLS renegotiation is possible cpu resource attack */
   SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
+  /* SMTP does not suffer from truncation attacks due to its application framing */
+  SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
+  /* reduce to one ticket */
+  SSL_CTX_set_num_tickets(ctx, 1);
 
   /* set the callback here; SSL_set_verify didn't work before 0.9.6c */
   SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb);
-- 
cgit v1.2.3