Move certificate name checking to mainline, default enabled

This is an exim client checking a server certificate.

3 files changed, 18 insertions, 35 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 542ccaf86..5bdf57282 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -23435,6 +23435,19 @@ The &$tls_out_certificate_verified$& variable is set when
 certificate verification succeeds.
 
 
+.option tls_verify_cert_hostnames smtp "host list&!!" *
+.cindex "TLS" "server certificate hostname verification"
+.cindex "certificate" "verification of server"
+This option give a list of hosts for which,
+while verifying the server certificate,
+checks will be included on the host name
+(note that this will generally be the result of a DNS MX lookup)
+versus Subject and Subject-Alternate-Name fields.  Wildcard names are permitted
+limited to being the initial component of a 3-or-more component FQDN.
+
+There is no equivalent checking on client certificates.
+
+
 .option tls_verify_certificates smtp string&!! unset
 .cindex "TLS" "server certificate verification"
 .cindex "certificate" "verification of server"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2f29e3603..27abe4701 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -12,6 +12,11 @@ JH/02 The smtp transport option "multi_domain" is now expanded.
 JH/03 The smtp transport now requests PRDR by default, if the server offers
       it.
 
+JH/04 Certificate name checking on server certificates, when exim is a client,
+      is now done by default.  The transport option tls_verify_cert_hostname
+      can be used to disable this per-host.  The build option
+      EXPERIMENTAL_CERTNAMES is withdrawn.
+
 
 Exim version 4.85
 -----------------
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 4a2a04bb4..4bcfecf04 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1146,41 +1146,6 @@ Adding it to a redirect router makes no difference.
 
 
 
-Certificate name checking
---------------------------------------------------------------
-The X509 certificates used for TLS are supposed be verified
-that they are owned by the expected host.  The coding of TLS
-support to date has not made these checks.
-
-If built with EXPERIMENTAL_CERTNAMES defined, code is
-included to do so for server certificates, and a new smtp transport option
-"tls_verify_cert_hostnames" supported which takes a hostlist
-which must match the target host for the additional checks must be made.
-The option currently defaults to empty, but this may change in
-the future.  "*" is probably a suitable value.
-Whether certificate verification is done at all, and the result of
-it failing, is stll under the control of "tls_verify_hosts" nad
-"tls_try_verify_hosts".
-
-The name being checked is that for the host, generally
-the result of an MX lookup.
-
-Both Subject and Subject-Alternate-Name certificate fields
-are supported, as are wildcard certificates (limited to
-a single wildcard being the initial component of a 3-or-more
-component FQDN).
-
-The equivalent check on the server for client certificates is not
-implemented.  At least one major email provider is using a client
-certificate which fails this check.  They do not retry either without
-the client certificate or in clear.
-
-It is possible to duplicate the effect of this checking by
-creative use of Events.
-
-
-
-
 DANE
 ------------------------------------------------------------
 DNS-based Authentication of Named Entities, as applied