uschar *server_cipher_list;
/* only passed down to tls_error: */
host_item *host;
-
-#ifdef EXPERIMENTAL_CERTNAMES
uschar * verify_cert_hostnames;
-#endif
#ifdef EXPERIMENTAL_EVENT
uschar * event_action;
#endif
}
else
{
-#ifdef EXPERIMENTAL_CERTNAMES
uschar * verify_cert_hostnames;
-#endif
tlsp->peerdn = txt;
tlsp->peercert = X509_dup(cert);
-#ifdef EXPERIMENTAL_CERTNAMES
if ( tlsp == &tls_out
&& ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
/* client, wanting hostname check */
"tls_try_verify_hosts)\n");
}
# endif
-#endif /*EXPERIMENTAL_CERTNAMES*/
#ifdef EXPERIMENTAL_EVENT
ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
# endif
#endif
-#ifdef EXPERIMENTAL_CERTNAMES
cbinfo->verify_cert_hostnames = NULL;
-#endif
/* Set up the RSA callback */
if (expcerts != NULL && *expcerts != '\0')
{
- struct stat statbuf;
- if (!SSL_CTX_set_default_verify_paths(sctx))
- return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
-
- if (Ustat(expcerts, &statbuf) < 0)
+ if (Ustrcmp(expcerts, "system") == 0)
{
- log_write(0, LOG_MAIN|LOG_PANIC,
- "failed to stat %s for certificates", expcerts);
- return DEFER;
+ /* Tell the library to use its compiled-in location for the system default
+ CA bundle, only */
+
+ if (!SSL_CTX_set_default_verify_paths(sctx))
+ return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
}
else
{
- uschar *file, *dir;
- if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
- { file = NULL; dir = expcerts; }
+ struct stat statbuf;
+
+ /* Tell the library to use its compiled-in location for the system default
+ CA bundle. Those given by the exim config are additional to these */
+
+ if (!SSL_CTX_set_default_verify_paths(sctx))
+ return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
+
+ if (Ustat(expcerts, &statbuf) < 0)
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "failed to stat %s for certificates", expcerts);
+ return DEFER;
+ }
else
- { file = expcerts; dir = NULL; }
-
- /* If a certificate file is empty, the next function fails with an
- unhelpful error message. If we skip it, we get the correct behaviour (no
- certificates are recognized, but the error message is still misleading (it
- says no certificate was supplied.) But this is better. */
-
- if ((file == NULL || statbuf.st_size > 0) &&
- !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
- return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
-
- /* Load the list of CAs for which we will accept certs, for sending
- to the client. This is only for the one-file tls_verify_certificates
- variant.
- If a list isn't loaded into the server, but
- some verify locations are set, the server end appears to make
- a wildcard reqest for client certs.
- Meanwhile, the client library as deafult behaviour *ignores* the list
- we send over the wire - see man SSL_CTX_set_client_cert_cb.
- Because of this, and that the dir variant is likely only used for
- the public-CA bundle (not for a private CA), not worth fixing.
- */
- if (file != NULL)
{
- STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
-DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
- sk_X509_NAME_num(names));
- SSL_CTX_set_client_CA_list(sctx, names);
+ uschar *file, *dir;
+ if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+ { file = NULL; dir = expcerts; }
+ else
+ { file = expcerts; dir = NULL; }
+
+ /* If a certificate file is empty, the next function fails with an
+ unhelpful error message. If we skip it, we get the correct behaviour (no
+ certificates are recognized, but the error message is still misleading (it
+ says no certificate was supplied.) But this is better. */
+
+ if ((file == NULL || statbuf.st_size > 0) &&
+ !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
+ return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
+
+ /* Load the list of CAs for which we will accept certs, for sending
+ to the client. This is only for the one-file tls_verify_certificates
+ variant.
+ If a list isn't loaded into the server, but
+ some verify locations are set, the server end appears to make
+ a wildcard reqest for client certs.
+ Meanwhile, the client library as deafult behaviour *ignores* the list
+ we send over the wire - see man SSL_CTX_set_client_cert_cb.
+ Because of this, and that the dir variant is likely only used for
+ the public-CA bundle (not for a private CA), not worth fixing.
+ */
+ if (file != NULL)
+ {
+ STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
+ DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
+ sk_X509_NAME_num(names));
+ SSL_CTX_set_client_CA_list(sctx, names);
+ }
}
}
static int
tls_client_basic_ctx_init(SSL_CTX * ctx,
- host_item * host, smtp_transport_options_block * ob
-#ifdef EXPERIMENTAL_CERTNAMES
- , tls_ext_ctx_cb * cbinfo
-#endif
+ host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
)
{
int rc;
set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only
the specified host patterns if one of them is defined */
-if ( (!ob->tls_verify_hosts && !ob->tls_try_verify_hosts)
- || (verify_check_this_host(&ob->tls_verify_hosts, NULL,
- host->name, host->address, NULL) == OK)
+if ( ( !ob->tls_verify_hosts
+ && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
+ )
+ || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
)
client_verify_optional = FALSE;
-else if (verify_check_this_host(&ob->tls_try_verify_hosts, NULL,
- host->name, host->address, NULL) == OK)
+else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
client_verify_optional = TRUE;
else
return OK;
ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
return rc;
-#ifdef EXPERIMENTAL_CERTNAMES
-if (verify_check_this_host(&ob->tls_verify_cert_hostnames, NULL,
- host->name, host->address, NULL) == OK)
+if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
{
cbinfo->verify_cert_hostnames = host->name;
DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
cbinfo->verify_cert_hostnames);
}
-#endif
return OK;
}
}
# endif
- if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
- NULL, host->name, host->address, NULL) == OK))
+ if ((require_ocsp =
+ verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
request_ocsp = TRUE;
else
# ifdef EXPERIMENTAL_DANE
if (!request_ocsp)
# endif
- request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp,
- NULL, host->name, host->address, NULL) == OK;
+ request_ocsp =
+ verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
}
#endif
#ifdef EXPERIMENTAL_DANE
if (tlsa_dnsa)
{
- SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback_client_dane);
+ SSL_CTX_set_verify(client_ctx,
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+ verify_callback_client_dane);
if (!DANESSL_library_init())
return tls_error(US"library init", host, NULL);
#endif
- if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob
-#ifdef EXPERIMENTAL_CERTNAMES
- , client_static_cbinfo
-#endif
- )) != OK)
+ if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
+ != OK)
return rc;
if ((client_ssl = SSL_new(client_ctx)) == NULL)
{ /* Re-eval now $tls_out_tlsa_usage is populated. If
this means we avoid the OCSP request, we wasted the setup
cost in tls_init(). */
- require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
- NULL, host->name, host->address, NULL) == OK;
- request_ocsp = require_ocsp ? TRUE
- : verify_check_this_host(&ob->hosts_request_ocsp,
- NULL, host->name, host->address, NULL) == OK;
+ require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
+ request_ocsp = require_ocsp
+ || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
}
}
# endif
projects / exim.git / blobdiff