diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-11-23 17:01:14 +0000 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2015-01-12 18:58:34 +0000 |
| commit | 610ff4388b33ddc2753c17eefb8b03e2fdd7e124 (patch) | |
| tree | 7c93cbe25d6091208059e9d3999f1299c6ccfeb6 /src | |
| parent | 0e0f3f562bf23cf035baf85cdd071d392751b676 (diff) | |
Make smtp transport try server cert verify by default
This is an exim client checking a server certificate.
Diffstat (limited to 'src')
| -rw-r--r-- | src/src/tls-gnu.c | 12 | ||||
| -rw-r--r-- | src/src/tls-openssl.c | 4 | ||||
| -rw-r--r-- | src/src/transports/smtp.c | 2 |
3 files changed, 10 insertions, 8 deletions
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 42d04224a..8b28d5566 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -853,14 +853,14 @@ error message is provided. However, if we just refrain from setting anything up in that case, certificate verification fails, which seems to be the correct behaviour. */ -if ( state->tls_verify_certificates && *state->tls_verify_certificates -#ifndef SUPPORT_SYSDEFAULT_CABUNDLE - && Ustrcmp(state->exp_tls_verify_certificates, "system") != 0 -#endif - ) +if (state->tls_verify_certificates && *state->tls_verify_certificates) { if (!expand_check_tlsvar(tls_verify_certificates)) return DEFER; +#ifndef SUPPORT_SYSDEFAULT_CABUNDLE + if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0) + state->exp_tls_verify_certificates = NULL; +#endif if (state->tls_crl && *state->tls_crl) if (!expand_check_tlsvar(tls_crl)) return DEFER; @@ -1860,7 +1860,7 @@ the specified host patterns if one of them is defined */ if ( ( state->exp_tls_verify_certificates && !ob->tls_verify_hosts - && !ob->tls_try_verify_hosts + && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts) ) || verify_check_given_host(&ob->tls_verify_hosts, host) == OK ) diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index bb17821e4..ce6b47832 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1686,7 +1686,9 @@ int rc; set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only the specified host patterns if one of them is defined */ -if ( (!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) +if ( ( !ob->tls_verify_hosts + && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts) + ) || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK) ) client_verify_optional = FALSE; diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index a455ba553..181081b60 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -260,7 +260,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { /* tls_dh_min_bits */ TRUE, /* tls_tempfail_tryclear */ NULL, /* tls_verify_hosts */ - NULL, /* tls_try_verify_hosts */ + US"*", /* tls_try_verify_hosts */ US"*" /* tls_verify_cert_hostnames */ #endif #ifndef DISABLE_DKIM |