From 453a6645ece01ed49ff175d43d660daef435d301 Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Sat, 5 Jun 2010 10:34:29 +0000 Subject: [PATCH] Deal with anonymous SSL giving us no peer certificate. --- doc/doc-txt/ChangeLog | 15 ++++++++++++--- src/src/tls-openssl.c | 14 ++++++++++---- 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index cb9f3d39c..828e72fb2 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.619 2010/06/05 10:16:36 pdp Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.620 2010/06/05 10:34:29 pdp Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -22,13 +22,22 @@ PP/05 Bugzilla 834: provide a permit_codedump option for pipe transports. PP/06 Adjust NTLM authentication to handle SASL Initial Response. +PP/07 If TLS negotiated an anonymous cipher, we could end up with SSL but + without a peer certificate (I believe), leading to a segfault because of + an assumption that peers always have certificates. Be a little more + paranoid. Problem reported by Martin Tscholak. + Exim version 4.72 ----------------- -JJ/01 installed exipick 20100104.1, adding $max_received_linelength, $data_path, and $header_path variables; fixed documentation bugs and typos +JJ/01 installed exipick 20100104.1, adding $max_received_linelength, + $data_path, and $header_path variables; fixed documentation bugs and + typos -JJ/02 installed exipick 20100222.0, added --input-dir and --finput to allow exipick to access non-standard spools, including the "frozen" queue (Finput) +JJ/02 installed exipick 20100222.0, added --input-dir and --finput to allow + exipick to access non-standard spools, including the "frozen" queue + (Finput) NM/01 Bugzilla 965: Support mysql stored procedures. Patch from Alain Williams diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 02db7cd52..78b28f5e8 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/tls-openssl.c,v 1.25 2010/06/05 09:36:11 pdp Exp $ */ +/* $Cambridge: exim/src/src/tls-openssl.c,v 1.26 2010/06/05 10:34:29 pdp Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -833,10 +833,16 @@ if (rc <= 0) DEBUG(D_tls) debug_printf("SSL_connect succeeded\n"); +/* Beware anonymous ciphers which lead to server_cert being NULL */ server_cert = SSL_get_peer_certificate (ssl); -tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert), - CS txt, sizeof(txt)); -tls_peerdn = txt; +if (server_cert) + { + tls_peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert), + CS txt, sizeof(txt)); + tls_peerdn = txt; + } +else + tls_peerdn = NULL; construct_cipher_name(ssl); /* Sets tls_cipher */ -- 2.25.1