20120517 Workaround: to avoid crashes when the OpenSSL library is updated without "postfix reload", the Postfix TLS session cache ID now includes the OpenSSL library version number. Note: this problem cannot be fixed in tlsmgr(8). Code by Victor Duchovni. Files: tls/tls_server.c, tls_client.c. diff -cr /var/tmp/postfix-2.10-20120516/src/tls/tls_client.c src/tls/tls_client.c *** /var/tmp/postfix-2.10-20120516/src/tls/tls_client.c Wed Apr 25 08:46:54 2012 --- src/tls/tls_client.c Thu May 17 13:14:52 2012 *************** *** 827,832 **** --- 827,838 ---- vstring_sprintf_append(myserverid, "&c=%s", cipher_list); /* + * Finally, salt the session key with the OpenSSL library version, + * (run-time, rather than compile-time, just in case that matters). + */ + vstring_sprintf_append(myserverid, "&l=%ld", (long) SSLeay()); + + /* * Allocate a new TLScontext for the new connection and get an SSL * structure. Add the location of TLScontext to the SSL to later retrieve * the information inside the tls_verify_certificate_callback(). diff -cr /var/tmp/postfix-2.10-20120516/src/tls/tls_server.c src/tls/tls_server.c *** /var/tmp/postfix-2.10-20120516/src/tls/tls_server.c Wed Apr 25 08:47:01 2012 --- src/tls/tls_server.c Thu May 17 13:15:13 2012 *************** *** 181,189 **** #define GEN_CACHE_ID(buf, id, len, service) \ do { \ ! buf = vstring_alloc(2 * (len) + 1 + strlen(service) + 3); \ hex_encode(buf, (char *) (id), (len)); \ vstring_sprintf_append(buf, "&s=%s", (service)); \ } while (0) --- 181,190 ---- #define GEN_CACHE_ID(buf, id, len, service) \ do { \ ! buf = vstring_alloc(2 * (len + strlen(service))); \ hex_encode(buf, (char *) (id), (len)); \ vstring_sprintf_append(buf, "&s=%s", (service)); \ + vstring_sprintf_append(buf, "&l=%ld", (long) SSLeay()); \ } while (0)