GnuTLS: when library too old for system CA bundle support, do not default options to using it

3 files changed, 8 insertions, 1 deletions

diff --git a/src/src/globals.c b/src/src/globals.c
index d029f7540..b7e117868 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -141,7 +141,11 @@ uschar *tls_require_ciphers    = NULL;
 uschar *tls_resumption_hosts   = NULL;
 # endif
 uschar *tls_try_verify_hosts   = NULL;
+#if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS)
 uschar *tls_verify_certificates= US"system";
+#else
+uschar *tls_verify_certificates= NULL;
+#endif
 uschar *tls_verify_hosts       = NULL;
 int     tls_watch_fd	       = -1;
 time_t  tls_watch_trigger_time = (time_t)0;
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 0a3d8f1e9..a31982223 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -192,7 +192,9 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   .keepalive =			TRUE,
   .retry_include_ip_address =	TRUE,
 #ifndef DISABLE_TLS
+# if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS)
   .tls_verify_certificates =	US"system",
+# endif
   .tls_dh_min_bits =		EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
   .tls_tempfail_tryclear =	TRUE,
   .tls_try_verify_hosts =	US"*",
diff --git a/test/runtest b/test/runtest
index 7e9b5d74c..59184786b 100755
--- a/test/runtest
+++ b/test/runtest
@@ -1075,7 +1075,8 @@ RESET_AFTER_EXTRA_LINE_READ:
     next if /^TLS: preloading DH params for server/;
     next if /^Diffie-Hellman initialized from default/;
     next if /^TLS: preloading ECDH curve for server/;
-    next if /^ECDH OpenSSL [\d.+]+ temp key parameter settings:/;
+    next if /^ECDH OpenSSL [< ]?[\d.+]+ temp key parameter settings:/;
+    next if /^ECDH: .'*prime256v1'/;
     next if /^watch dir/;
 
     # TLS preload