Support use of system default CA bundle

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 5bdf5728270c9f1677b8669c347161353251f311..dc7e4f75c8470872b6426816071634e4bf61a843 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16481,14 +16481,24 @@ See &%tls_verify_hosts%& below.
 .option tls_verify_certificates main string&!! unset
 .cindex "TLS" "client certificate verification"
 .cindex "certificate" "verification of client"
 .option tls_verify_certificates main string&!! unset
 .cindex "TLS" "client certificate verification"
 .cindex "certificate" "verification of client"

-The value of this option is expanded, and must then be the absolute path to
-a file containing permitted certificates for clients that
-match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. Alternatively, if you
-are using either GnuTLS version 3.3.6 (or later) or OpenSSL,
-you can set &%tls_verify_certificates%& to the name of a
-directory containing certificate files.
-For earlier versions of GnuTLS
-the option must be set to the name of a single file.
+The value of this option is expanded, and must then be either the
+word "system"
+or the absolute path to
+a file or directory containing permitted certificates for clients that
+match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&.
+
+The "system" value for the option will use a
+system default location compiled into the SSL library.
+This is not available for GnuTLS versions preceding 3.0.20 and an explicit location
+must be specified.
+
+The use of a directory for the option value is not avilable for GnuTLS versions
+preceding 3.3.6 and a single file must be used.
+
+With OpenSSL the certificates specified
+explicitly
+either by file or directory
+are added to those given by the system default location.

 
 With OpenSSL the certificates specified
 explicitly
 
 With OpenSSL the certificates specified
 explicitly


@@ -23453,15 +23463,18 @@ There is no equivalent checking on client certificates.
 .cindex "certificate" "verification of server"
 .vindex "&$host$&"
 .vindex "&$host_address$&"
 .cindex "certificate" "verification of server"
 .vindex "&$host$&"
 .vindex "&$host_address$&"

-The value of this option must be the absolute path to a file containing
-permitted server certificates, for use when setting up an encrypted connection.
-Alternatively,
-if you are using either GnuTLS version 3.3.6 (or later) or OpenSSL,
-you can set
-&%tls_verify_certificates%& to the name of a directory containing certificate
-files.
-For earlier versions of GnuTLS the option must be set to the name of a
-single file.
+The value of this option must be either the
+word "system"
+or the absolute path to
+a file or directory containing permitted certificates for servers,
+for use when setting up an encrypted connection.
+
+The "system" value for the option will use a location compiled into the SSL library.
+This is not available for GnuTLS versions preceding 3.0.20 and an explicit location
+must be specified.
+
+The use of a directory for the option value is not avilable for GnuTLS versions
+preceding 3.3.6 and a single file must be used.

 
 With OpenSSL the certificates specified
 explicitly
 
 With OpenSSL the certificates specified
 explicitly


@@ -25949,8 +25962,9 @@ include files and libraries for GnuTLS can be found.
 There are some differences in usage when using GnuTLS instead of OpenSSL:
 
 .ilist
 There are some differences in usage when using GnuTLS instead of OpenSSL:
 
 .ilist

-The &%tls_verify_certificates%& option must contain the name of a file, not the
-name of a directory for GnuTLS versions before 3.3.6
+The &%tls_verify_certificates%& option
+cannot be the path of a directory
+for GnuTLS versions before 3.3.6

 (for later versions, or OpenSSL, it can be either).
 .next
 The default value for &%tls_dhparam%& differs for historical reasons.
 (for later versions, or OpenSSL, it can be either).
 .next
 The default value for &%tls_dhparam%& differs for historical reasons.


@@ -26302,8 +26316,10 @@ session with a client, you must set either &%tls_verify_hosts%& or
 apply to all TLS connections. For any host that matches one of these options,
 Exim requests a certificate as part of the setup of the TLS session. The
 contents of the certificate are verified by comparing it with a list of
 apply to all TLS connections. For any host that matches one of these options,
 Exim requests a certificate as part of the setup of the TLS session. The
 contents of the certificate are verified by comparing it with a list of

-expected certificates. These must be available in a file or,
-for OpenSSL only (not GnuTLS), a directory, identified by
+expected certificates.
+These may be the system default set (depending on library version),
+an explicit file or,
+depending on library version, a directory, identified by

 &%tls_verify_certificates%&.
 
 A file can contain multiple certificates, concatenated end to end. If a
 &%tls_verify_certificates%&.
 
 A file can contain multiple certificates, concatenated end to end. If a


@@ -26463,9 +26479,13 @@ if it requests it. If the server is Exim, it will request a certificate only if
 &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client.
 
 If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it
 &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client.
 
 If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it

+specified a collection of expected server certificates.
+These may be the system default set (depeding on library version),
+a file or,
+depnding on liibrary version, a directory,

 must name a file or,
 must name a file or,

-for OpenSSL only (not GnuTLS), a directory, that contains a collection of
-expected server certificates. The client verifies the server's certificate
+for OpenSSL only (not GnuTLS), a directory.
+The client verifies the server's certificate

 against this collection, taking into account any revoked certificates that are
 in the list defined by &%tls_crl%&.
 Failure to verify fails the TLS connection unless either of the
 against this collection, taking into account any revoked certificates that are
 in the list defined by &%tls_crl%&.
 Failure to verify fails the TLS connection unless either of the

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 27abe470104f00f0d5bce97710e837949289e571..f2954b9455d21cb247fc55cca4a4c9e25cb79f77 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -17,6 +17,10 @@ JH/04 Certificate name checking on server certificates, when exim is a client,
       can be used to disable this per-host.  The build option
       EXPERIMENTAL_CERTNAMES is withdrawn.
 
       can be used to disable this per-host.  The build option
       EXPERIMENTAL_CERTNAMES is withdrawn.
 

+JH/05 The value of the tls_verify_certificates smtp transport and main options
+      can now be the word "system" to access the system default CA bundle.
+      For GnuTLS, only version 3.0.20 or later.
+

 
 Exim version 4.85
 -----------------
 
 Exim version 4.85
 -----------------

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index b520ebfd84edcad4c49f2e8bca1831c7398aae09..4943f48b7d2e3318bb46c683d32c44e65b629185 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -56,6 +56,9 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 #else
 # undef  SUPPORT_CA_DIR
 #endif
 #else
 # undef  SUPPORT_CA_DIR
 #endif

+#if GNUTLS_VERSION_NUMBER >= 0x030314
+# define SUPPORT_SYSDEFAULT_CABUNDLE
+#endif

 
 #ifndef DISABLE_OCSP
 # include <gnutls/ocsp.h>
 
 #ifndef DISABLE_OCSP
 # include <gnutls/ocsp.h>


@@ -874,58 +877,65 @@ else
   return OK;
   }
 
   return OK;
   }
 

-if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
+#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
+if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
+  cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
+else
+#endif

   {
   {

-  log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
-      "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
-      strerror(errno));
-  return DEFER;
-  }
+  if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
+       "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
+       strerror(errno));
+    return DEFER;
+    }

 
 #ifndef SUPPORT_CA_DIR
 
 #ifndef SUPPORT_CA_DIR

-/* The test suite passes in /dev/null; we could check for that path explicitly,
-but who knows if someone has some weird FIFO which always dumps some certs, or
-other weirdness.  The thing we really want to check is that it's not a
-directory, since while OpenSSL supports that, GnuTLS does not.
-So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
-if (S_ISDIR(statbuf.st_mode))
-  {
-  DEBUG(D_tls)
-    debug_printf("verify certificates path is a dir: \"%s\"\n",
-        state->exp_tls_verify_certificates);
-  log_write(0, LOG_MAIN|LOG_PANIC,
-      "tls_verify_certificates \"%s\" is a directory",
-      state->exp_tls_verify_certificates);
-  return DEFER;
-  }
+  /* The test suite passes in /dev/null; we could check for that path explicitly,
+  but who knows if someone has some weird FIFO which always dumps some certs, or
+  other weirdness.  The thing we really want to check is that it's not a
+  directory, since while OpenSSL supports that, GnuTLS does not.
+  So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
+  if (S_ISDIR(statbuf.st_mode))
+    {
+    DEBUG(D_tls)
+      debug_printf("verify certificates path is a dir: \"%s\"\n",
+         state->exp_tls_verify_certificates);
+    log_write(0, LOG_MAIN|LOG_PANIC,
+       "tls_verify_certificates \"%s\" is a directory",
+       state->exp_tls_verify_certificates);
+    return DEFER;
+    }

 #endif
 
 #endif
 

-DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
-        state->exp_tls_verify_certificates, statbuf.st_size);
+  DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
+         state->exp_tls_verify_certificates, statbuf.st_size);

 
 

-if (statbuf.st_size == 0)
-  {
-  DEBUG(D_tls)
-    debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
-  return OK;
-  }
+  if (statbuf.st_size == 0)
+    {
+    DEBUG(D_tls)
+      debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
+    return OK;
+    }

 
 

-cert_count =
+  cert_count =

 
 #ifdef SUPPORT_CA_DIR
 
 #ifdef SUPPORT_CA_DIR

-  (statbuf.st_mode & S_IFMT) == S_IFDIR
-  ?
-  gnutls_certificate_set_x509_trust_dir(state->x509_cred,
-    CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
-  :
+    (statbuf.st_mode & S_IFMT) == S_IFDIR
+    ?
+    gnutls_certificate_set_x509_trust_dir(state->x509_cred,
+      CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
+    :

 #endif
 #endif

-  gnutls_certificate_set_x509_trust_file(state->x509_cred,
-    CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+    gnutls_certificate_set_x509_trust_file(state->x509_cred,
+      CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+  }

 
 if (cert_count < 0)
   {
   rc = cert_count;
 
 if (cert_count < 0)
   {
   rc = cert_count;

-  exim_gnutls_err_check(US"gnutls_certificate_set_x509_trust_file");
+  exim_gnutls_err_check(US"setting certificate trust");

   }
 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
 
   }
 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
 

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 7c66775c0ff3b3976b01ae4eeed393f42bacd349..bb17821e474d37fc39c31ebd1fee204041b255c8 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1366,50 +1366,65 @@ if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
 
 if (expcerts != NULL && *expcerts != '\0')
   {
 
 if (expcerts != NULL && *expcerts != '\0')
   {

-  struct stat statbuf;
-  if (!SSL_CTX_set_default_verify_paths(sctx))
-    return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
-
-  if (Ustat(expcerts, &statbuf) < 0)
+  if (Ustrcmp(expcerts, "system") == 0)

     {
     {

-    log_write(0, LOG_MAIN|LOG_PANIC,
-      "failed to stat %s for certificates", expcerts);
-    return DEFER;
+    /* Tell the library to use its compiled-in location for the system default
+    CA bundle, only */
+
+    if (!SSL_CTX_set_default_verify_paths(sctx))
+      return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);

     }
   else
     {
     }
   else
     {

-    uschar *file, *dir;
-    if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
-      { file = NULL; dir = expcerts; }
+    struct stat statbuf;
+
+    /* Tell the library to use its compiled-in location for the system default
+    CA bundle. Those given by the exim config are additional to these */
+
+    if (!SSL_CTX_set_default_verify_paths(sctx))
+      return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
+
+    if (Ustat(expcerts, &statbuf) < 0)
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC,
+       "failed to stat %s for certificates", expcerts);
+      return DEFER;
+      }

     else
     else

-      { file = expcerts; dir = NULL; }
-
-    /* If a certificate file is empty, the next function fails with an
-    unhelpful error message. If we skip it, we get the correct behaviour (no
-    certificates are recognized, but the error message is still misleading (it
-    says no certificate was supplied.) But this is better. */
-
-    if ((file == NULL || statbuf.st_size > 0) &&
-          !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
-      return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
-
-    /* Load the list of CAs for which we will accept certs, for sending
-    to the client.  This is only for the one-file tls_verify_certificates
-    variant.
-    If a list isn't loaded into the server, but
-    some verify locations are set, the server end appears to make
-    a wildcard reqest for client certs.
-    Meanwhile, the client library as deafult behaviour *ignores* the list
-    we send over the wire - see man SSL_CTX_set_client_cert_cb.
-    Because of this, and that the dir variant is likely only used for
-    the public-CA bundle (not for a private CA), not worth fixing.
-    */
-    if (file != NULL)

       {
       {

-      STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
-DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
-                                 sk_X509_NAME_num(names));
-      SSL_CTX_set_client_CA_list(sctx, names);
+      uschar *file, *dir;
+      if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+       { file = NULL; dir = expcerts; }
+      else
+       { file = expcerts; dir = NULL; }
+
+      /* If a certificate file is empty, the next function fails with an
+      unhelpful error message. If we skip it, we get the correct behaviour (no
+      certificates are recognized, but the error message is still misleading (it
+      says no certificate was supplied.) But this is better. */
+
+      if ((file == NULL || statbuf.st_size > 0) &&
+           !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
+       return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
+
+      /* Load the list of CAs for which we will accept certs, for sending
+      to the client.  This is only for the one-file tls_verify_certificates
+      variant.
+      If a list isn't loaded into the server, but
+      some verify locations are set, the server end appears to make
+      a wildcard reqest for client certs.
+      Meanwhile, the client library as deafult behaviour *ignores* the list
+      we send over the wire - see man SSL_CTX_set_client_cert_cb.
+      Because of this, and that the dir variant is likely only used for
+      the public-CA bundle (not for a private CA), not worth fixing.
+      */
+      if (file != NULL)
+       {
+       STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
+  DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
+                                   sk_X509_NAME_num(names));
+       SSL_CTX_set_client_CA_list(sctx, names);
+       }

       }
     }
 
       }
     }