From 26e72755c101f59e24735e9ca9a320d5f1ebc2b7 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Wed, 13 Mar 2013 19:48:22 -0400 Subject: [PATCH] OpenSSL fix empty tls_verify_certificates. New behaviour matches GnuTLS handling, and is documented. Previously, a tls_verify_certificates expansion forced failure was the only portable way to avoid setting this option. Now, an empty string is equivalent. --- doc/doc-docbook/spec.xfpt | 3 +++ doc/doc-txt/ChangeLog | 6 ++++++ src/src/tls-openssl.c | 2 +- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 9c03523bb..92d0a2287 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16066,6 +16066,9 @@ use OpenSSL with a directory. See &<>& for discussion of when this option might be re-expanded. +A forced expansion failure or setting to an empty string is equivalent to +being unset. + .option tls_verify_hosts main "host list&!!" unset .cindex "TLS" "client certificate verification" diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index c8155aa5c..a2e204d34 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -175,6 +175,12 @@ PP/17 Update configure.default to handle IPv6 localhost better. Patch by Alain Williams (plus minor tweaks). Bugzilla 880. +PP/18 OpenSSL made graceful with empty tls_verify_certificates setting. + This is now consistent with GnuTLS, and is now documented: the + previous undocumented portable approach to treating the option as + unset was to force an expansion failure. That still works, and + an empty string is now equivalent. + Exim version 4.80.1 ------------------- diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index d879f0873..42afd3949 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1008,7 +1008,7 @@ uschar *expcerts, *expcrl; if (!expand_check(certs, US"tls_verify_certificates", &expcerts)) return DEFER; -if (expcerts != NULL) +if (expcerts != NULL && *expcerts != '\0') { struct stat statbuf; if (!SSL_CTX_set_default_verify_paths(sctx)) -- 2.25.1