diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2021-07-22 22:01:10 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2021-07-22 22:01:10 +0100 |
| commit | dbbc1c20b59dc10368e31a7c81f110eb40b36494 (patch) | |
| tree | a2db0fd754e77f3a64be93e4ed98e050686e34f2 /src | |
| parent | 1c18b2f733ed64d4dfa4b4cf391ba73bb86cf030 (diff) | |
TLS: fix tls_verify_certificates handling of "system"
A previous try at managing it for new-enough versions of GnuTLS actually
broke it for everything: 744170d4d3
Diffstat (limited to 'src')
| -rw-r--r-- | src/src/globals.c | 4 | ||||
| -rw-r--r-- | src/src/tls-gnu.c | 21 | ||||
| -rw-r--r-- | src/src/transports/smtp.c | 2 |
3 files changed, 17 insertions, 10 deletions
diff --git a/src/src/globals.c b/src/src/globals.c index 1e12bcb92..c3e8a16cf 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -147,11 +147,7 @@ uschar *tls_require_ciphers = NULL; uschar *tls_resumption_hosts = NULL; # endif uschar *tls_try_verify_hosts = NULL; -#if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS) uschar *tls_verify_certificates= US"system"; -#else -uschar *tls_verify_certificates= NULL; -#endif uschar *tls_verify_hosts = NULL; int tls_watch_fd = -1; time_t tls_watch_trigger_time = (time_t)0; diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index b9f8d2a51..7d434f6af 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1526,9 +1526,14 @@ else if ( !tls_certificate && !tls_privatekey else DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n"); -/* If tls_verify_certificates is non-empty and has no $, load CAs */ +/* If tls_verify_certificates is non-empty and has no $, load CAs. +If none was configured and we can't handle "system", treat as empty. */ -if (opt_set_and_noexpand(tls_verify_certificates)) +if ( opt_set_and_noexpand(tls_verify_certificates) +#ifndef SUPPORT_SYSDEFAULT_CABUNDLE + && Ustrcmp(tls_verify_certificates, "system") != 0 +#endif + ) { if (tls_set_watch(tls_verify_certificates, FALSE)) { @@ -1632,7 +1637,14 @@ else DEBUG(D_tls) debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name); -if (opt_set_and_noexpand(ob->tls_verify_certificates)) +/* If tls_verify_certificates is non-empty and has no $, load CAs. +If none was configured and we can't handle "system", treat as empty. */ + +if ( opt_set_and_noexpand(ob->tls_verify_certificates) +#ifndef SUPPORT_SYSDEFAULT_CABUNDLE + && Ustrcmp(ob->tls_verify_certificates, "system") != 0 +#endif + ) { if (!watch || tls_set_watch(ob->tls_verify_certificates, FALSE)) { @@ -1848,7 +1860,8 @@ else provided. Experiment shows that, if the certificate file is empty, an unhelpful error message is provided. However, if we just refrain from setting anything up in that case, certificate verification fails, which seems to be the correct -behaviour. */ +behaviour. +If none was configured and we can't handle "system", treat as empty. */ if (!state->lib_state.cabundle) { diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index c62de724d..a121e34ae 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -194,9 +194,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { .keepalive = TRUE, .retry_include_ip_address = TRUE, #ifndef DISABLE_TLS -# if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS) .tls_verify_certificates = US"system", -# endif .tls_dh_min_bits = EXIM_CLIENT_DH_DEFAULT_MIN_BITS, .tls_tempfail_tryclear = TRUE, .tls_try_verify_hosts = US"*", |