X-Git-Url: https://vcs.fsf.org/?p=exim.git;a=blobdiff_plain;f=src%2Fsrc%2Ftls-openssl.c;h=fe1b208ac5b2e4d708b913e2f466e11733ad0450;hp=c489ea51da4f36fa50744bb44e7aaa330fb9528a;hb=c1cc0506c3069a9d93d71321f9578150662ede91;hpb=839a3b0d5528e557f52f47e8345e290edd86b520

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index c489ea51d..fe1b208ac 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -308,7 +308,6 @@ if (state == 0)
     depth,
     X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
     txt);
-  tlsp->certificate_verified = FALSE;
   *calledp = TRUE;
   if (!*optionalp)
     {
@@ -342,9 +341,11 @@ else if (depth != 0)
       {
       log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
 			      "depth=%d cert=%s: %s", depth, txt, yield);
-      tlsp->certificate_verified = FALSE;
       *calledp = TRUE;
-      return 0;			    /* reject */
+      if (!*optionalp)
+	return 0;			    /* reject */
+      DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
+	"(host in tls_try_verify_hosts)\n");
       }
     X509_free(tlsp->peercert);
     tlsp->peercert = NULL;
@@ -389,7 +390,11 @@ else
       {
       log_write(0, LOG_MAIN,
 	"SSL verify error: certificate name mismatch: \"%s\"\n", txt);
-      return 0;				/* reject */
+      *calledp = TRUE;
+      if (!*optionalp)
+	return 0;			    /* reject */
+      DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
+	"tls_try_verify_hosts)\n");
       }
     }
 # else
@@ -397,7 +402,11 @@ else
       {
       log_write(0, LOG_MAIN,
 	"SSL verify error: certificate name mismatch: \"%s\"\n", txt);
-      return 0;				/* reject */
+      *calledp = TRUE;
+      if (!*optionalp)
+	return 0;			    /* reject */
+      DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
+	"tls_try_verify_hosts)\n");
       }
 # endif
 #endif	/*EXPERIMENTAL_CERTNAMES*/
@@ -409,9 +418,11 @@ else
       {
       log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
 			      "depth=0 cert=%s: %s", txt, yield);
-      tlsp->certificate_verified = FALSE;
       *calledp = TRUE;
-      return 0;			    /* reject */
+      if (!*optionalp)
+	return 0;			    /* reject */
+      DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
+	"(host in tls_try_verify_hosts)\n");
       }
 #endif