diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2015-11-01 19:46:28 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2015-11-08 16:19:46 +0000 |
commit | 23f3dc67a13f71bb8fdf2930052d3fdce85e9774 (patch) | |
tree | 780d7e88f9c996c1889d25a7d228d3864d620a33 /src | |
parent | d658adda50d19b00d2242c0f9162ab510ecda799 (diff) |
TLS: Default tls_advertise_hosts to "*". Bug 1709
Make the option available in non-TLS builds, and clear in testsuite
confs as needed to keep TLS and non-TLS testcase outputs the same.
An error is logged at startup if tls_advertise_hosts is nonempty
but tls_certificate is not set.
Diffstat (limited to 'src')
-rw-r--r-- | src/src/deliver.c | 3 | ||||
-rw-r--r-- | src/src/globals.c | 8 | ||||
-rw-r--r-- | src/src/globals.h | 6 | ||||
-rw-r--r-- | src/src/readconf.c | 14 |
4 files changed, 22 insertions, 9 deletions
diff --git a/src/src/deliver.c b/src/src/deliver.c index 5c4b22712..f3ae2208a 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -7326,8 +7326,7 @@ wording. */ if ((hu = addr->host_used) && hu->name) { const uschar * s; - fprintf(f, "Remote-MTA: dns; %s\n", - hu->name); + fprintf(f, "Remote-MTA: dns; %s\n", hu->name); #ifdef EXPERIMENTAL_DSN_INFO if (hu->address) { diff --git a/src/src/globals.c b/src/src/globals.c index 20e578e27..5dd0b13fb 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -148,7 +148,7 @@ uschar *gnutls_require_kx = NULL; uschar *gnutls_require_proto = NULL; uschar *openssl_options = NULL; const pcre *regex_STARTTLS = NULL; -uschar *tls_advertise_hosts = NULL; /* This is deliberate */ +uschar *tls_advertise_hosts = US"*"; uschar *tls_certificate = NULL; uschar *tls_crl = NULL; /* This default matches NSS DH_MAX_P_BITS value at current time (2012), because @@ -157,9 +157,9 @@ bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */ int tls_dh_max_bits = 2236; uschar *tls_dhparam = NULL; uschar *tls_eccurve = US"prime256v1"; -#ifndef DISABLE_OCSP +# ifndef DISABLE_OCSP uschar *tls_ocsp_file = NULL; -#endif +# endif BOOL tls_offered = FALSE; uschar *tls_privatekey = NULL; BOOL tls_remember_esmtp = FALSE; @@ -167,6 +167,8 @@ uschar *tls_require_ciphers = NULL; uschar *tls_try_verify_hosts = NULL; uschar *tls_verify_certificates= US"system"; uschar *tls_verify_hosts = NULL; +#else /*!SUPPORT_TLS*/ +uschar *tls_advertise_hosts = NULL; #endif #ifndef DISABLE_PRDR diff --git a/src/src/globals.h b/src/src/globals.h index 7bfb5aa47..6aaa4e009 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -112,16 +112,15 @@ extern uschar *gnutls_require_kx; /* So some can be avoided */ extern uschar *gnutls_require_proto; /* So some can be avoided */ extern uschar *openssl_options; /* OpenSSL compatibility options */ extern const pcre *regex_STARTTLS; /* For recognizing STARTTLS settings */ -extern uschar *tls_advertise_hosts; /* host for which TLS is advertised */ extern uschar *tls_certificate; /* Certificate file */ extern uschar *tls_channelbinding_b64; /* string of base64 channel binding */ extern uschar *tls_crl; /* CRL File */ extern int tls_dh_max_bits; /* don't accept higher lib suggestions */ extern uschar *tls_dhparam; /* DH param file */ extern uschar *tls_eccurve; /* EC curve */ -#ifndef DISABLE_OCSP +# ifndef DISABLE_OCSP extern uschar *tls_ocsp_file; /* OCSP stapling proof file */ -#endif +# endif extern BOOL tls_offered; /* Server offered TLS */ extern uschar *tls_privatekey; /* Private key file */ extern BOOL tls_remember_esmtp; /* For YAEB */ @@ -130,6 +129,7 @@ extern uschar *tls_try_verify_hosts; /* Optional client verification */ extern uschar *tls_verify_certificates;/* Path for certificates to check */ extern uschar *tls_verify_hosts; /* Mandatory client verification */ #endif +extern uschar *tls_advertise_hosts; /* host for which TLS is advertised */ extern uschar *dsn_envid; /* DSN envid string */ extern int dsn_ret; /* DSN ret type*/ diff --git a/src/src/readconf.c b/src/src/readconf.c index 61d71773f..2ffdd4720 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -443,8 +443,8 @@ static optionlist optionlist_config[] = { #endif { "timeout_frozen_after", opt_time, &timeout_frozen_after }, { "timezone", opt_stringptr, &timezone_string }, -#ifdef SUPPORT_TLS { "tls_advertise_hosts", opt_stringptr, &tls_advertise_hosts }, +#ifdef SUPPORT_TLS { "tls_certificate", opt_stringptr, &tls_certificate }, { "tls_crl", opt_stringptr, &tls_crl }, { "tls_dh_max_bits", opt_int, &tls_dh_max_bits }, @@ -2895,6 +2895,18 @@ pid_t pid; int rc, status; void (*oldsignal)(int); +/* If TLS will never be used, no point checking ciphers */ + +if ( !tls_advertise_hosts + || !*tls_advertise_hosts + || Ustrcmp(tls_advertise_hosts, ":") == 0 + ) + return TRUE; +else if (!tls_certificate) + log_write(0, LOG_MAIN|LOG_PANIC, + "Warning: No server certificate defined; TLS connections will fail.\n" + " Suggested action: either install a certificate or change tls_advertise_hosts option"); + oldsignal = signal(SIGCHLD, SIG_DFL); fflush(NULL); |