summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2015-11-01 19:46:28 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2015-11-08 16:19:46 +0000
commit23f3dc67a13f71bb8fdf2930052d3fdce85e9774 (patch)
tree780d7e88f9c996c1889d25a7d228d3864d620a33 /src
parentd658adda50d19b00d2242c0f9162ab510ecda799 (diff)
TLS: Default tls_advertise_hosts to "*". Bug 1709
Make the option available in non-TLS builds, and clear in testsuite confs as needed to keep TLS and non-TLS testcase outputs the same. An error is logged at startup if tls_advertise_hosts is nonempty but tls_certificate is not set.
Diffstat (limited to 'src')
-rw-r--r--src/src/deliver.c3
-rw-r--r--src/src/globals.c8
-rw-r--r--src/src/globals.h6
-rw-r--r--src/src/readconf.c14
4 files changed, 22 insertions, 9 deletions
diff --git a/src/src/deliver.c b/src/src/deliver.c
index 5c4b22712..f3ae2208a 100644
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -7326,8 +7326,7 @@ wording. */
if ((hu = addr->host_used) && hu->name)
{
const uschar * s;
- fprintf(f, "Remote-MTA: dns; %s\n",
- hu->name);
+ fprintf(f, "Remote-MTA: dns; %s\n", hu->name);
#ifdef EXPERIMENTAL_DSN_INFO
if (hu->address)
{
diff --git a/src/src/globals.c b/src/src/globals.c
index 20e578e27..5dd0b13fb 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -148,7 +148,7 @@ uschar *gnutls_require_kx = NULL;
uschar *gnutls_require_proto = NULL;
uschar *openssl_options = NULL;
const pcre *regex_STARTTLS = NULL;
-uschar *tls_advertise_hosts = NULL; /* This is deliberate */
+uschar *tls_advertise_hosts = US"*";
uschar *tls_certificate = NULL;
uschar *tls_crl = NULL;
/* This default matches NSS DH_MAX_P_BITS value at current time (2012), because
@@ -157,9 +157,9 @@ bit-count as "NORMAL" (2432) and Thunderbird dropping connection. */
int tls_dh_max_bits = 2236;
uschar *tls_dhparam = NULL;
uschar *tls_eccurve = US"prime256v1";
-#ifndef DISABLE_OCSP
+# ifndef DISABLE_OCSP
uschar *tls_ocsp_file = NULL;
-#endif
+# endif
BOOL tls_offered = FALSE;
uschar *tls_privatekey = NULL;
BOOL tls_remember_esmtp = FALSE;
@@ -167,6 +167,8 @@ uschar *tls_require_ciphers = NULL;
uschar *tls_try_verify_hosts = NULL;
uschar *tls_verify_certificates= US"system";
uschar *tls_verify_hosts = NULL;
+#else /*!SUPPORT_TLS*/
+uschar *tls_advertise_hosts = NULL;
#endif
#ifndef DISABLE_PRDR
diff --git a/src/src/globals.h b/src/src/globals.h
index 7bfb5aa47..6aaa4e009 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -112,16 +112,15 @@ extern uschar *gnutls_require_kx; /* So some can be avoided */
extern uschar *gnutls_require_proto; /* So some can be avoided */
extern uschar *openssl_options; /* OpenSSL compatibility options */
extern const pcre *regex_STARTTLS; /* For recognizing STARTTLS settings */
-extern uschar *tls_advertise_hosts; /* host for which TLS is advertised */
extern uschar *tls_certificate; /* Certificate file */
extern uschar *tls_channelbinding_b64; /* string of base64 channel binding */
extern uschar *tls_crl; /* CRL File */
extern int tls_dh_max_bits; /* don't accept higher lib suggestions */
extern uschar *tls_dhparam; /* DH param file */
extern uschar *tls_eccurve; /* EC curve */
-#ifndef DISABLE_OCSP
+# ifndef DISABLE_OCSP
extern uschar *tls_ocsp_file; /* OCSP stapling proof file */
-#endif
+# endif
extern BOOL tls_offered; /* Server offered TLS */
extern uschar *tls_privatekey; /* Private key file */
extern BOOL tls_remember_esmtp; /* For YAEB */
@@ -130,6 +129,7 @@ extern uschar *tls_try_verify_hosts; /* Optional client verification */
extern uschar *tls_verify_certificates;/* Path for certificates to check */
extern uschar *tls_verify_hosts; /* Mandatory client verification */
#endif
+extern uschar *tls_advertise_hosts; /* host for which TLS is advertised */
extern uschar *dsn_envid; /* DSN envid string */
extern int dsn_ret; /* DSN ret type*/
diff --git a/src/src/readconf.c b/src/src/readconf.c
index 61d71773f..2ffdd4720 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -443,8 +443,8 @@ static optionlist optionlist_config[] = {
#endif
{ "timeout_frozen_after", opt_time, &timeout_frozen_after },
{ "timezone", opt_stringptr, &timezone_string },
-#ifdef SUPPORT_TLS
{ "tls_advertise_hosts", opt_stringptr, &tls_advertise_hosts },
+#ifdef SUPPORT_TLS
{ "tls_certificate", opt_stringptr, &tls_certificate },
{ "tls_crl", opt_stringptr, &tls_crl },
{ "tls_dh_max_bits", opt_int, &tls_dh_max_bits },
@@ -2895,6 +2895,18 @@ pid_t pid;
int rc, status;
void (*oldsignal)(int);
+/* If TLS will never be used, no point checking ciphers */
+
+if ( !tls_advertise_hosts
+ || !*tls_advertise_hosts
+ || Ustrcmp(tls_advertise_hosts, ":") == 0
+ )
+ return TRUE;
+else if (!tls_certificate)
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "Warning: No server certificate defined; TLS connections will fail.\n"
+ " Suggested action: either install a certificate or change tls_advertise_hosts option");
+
oldsignal = signal(SIGCHLD, SIG_DFL);
fflush(NULL);