diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2020-08-19 21:09:04 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2020-08-20 00:00:22 +0100 |
commit | 7044dd8fd62e215572ecf5a2c7f1bb9581cf6628 (patch) | |
tree | bcca106e4834b86f3fce79503768eff86441edb0 /src | |
parent | 7f83b348ccf4cd815e9758ab9ca1012e66324e9d (diff) |
DANE: force SNI to use $domain. Bug 2265
Note: this is not a complete fix for the issue
Diffstat (limited to 'src')
-rw-r--r-- | src/src/receive.c | 2 | ||||
-rw-r--r-- | src/src/smtp_in.c | 2 | ||||
-rw-r--r-- | src/src/tls-gnu.c | 2 | ||||
-rw-r--r-- | src/src/tls-openssl.c | 1 | ||||
-rw-r--r-- | src/src/transports/smtp.c | 1 |
5 files changed, 5 insertions, 3 deletions
diff --git a/src/src/receive.c b/src/src/receive.c index 707fe07f7..95c44c01c 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -4004,7 +4004,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher) if (LOGGING(tls_peerdn) && tls_in.peerdn) g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); if (LOGGING(tls_sni) && tls_in.sni) - g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); + g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE)); #endif if (sender_host_authenticated) diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 3325d54c6..aa1d5b09c 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -1812,7 +1812,7 @@ if (LOGGING(tls_certificate_verified) && tls_in.cipher) if (LOGGING(tls_peerdn) && tls_in.peerdn) g = string_append(g, 3, US" DN=\"", string_printing(tls_in.peerdn), US"\""); if (LOGGING(tls_sni) && tls_in.sni) - g = string_append(g, 3, US" SNI=\"", string_printing(tls_in.sni), US"\""); + g = string_append(g, 2, US" SNI=", string_printing2(tls_in.sni, SP_TAB|SP_SPACE)); return g; } #endif diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 013d9c0e8..cf3804982 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -2868,7 +2868,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->so /* If dane is flagged, have either request or require dane for this host, and a TLSA record found. Therefore, dane verify required. Which implies cert must be requested and supplied, dane verify must pass, and cert verify irrelevant -(incl. hostnames), and (caller handled) require_tls */ +(incl. hostnames), and (caller handled) require_tls and sni=$domain */ if (conn_args->dane && ob->dane_require_tls_ciphers) { diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 64f60b7e4..5bc9f8f53 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -3200,6 +3200,7 @@ tlsp->tlsa_usage = 0; #ifndef DISABLE_OCSP { # ifdef SUPPORT_DANE + /*XXX this should be moved to caller, to be common across gnutls/openssl */ if ( conn_args->dane && ob->hosts_request_ocsp[0] == '*' && ob->hosts_request_ocsp[1] == '\0' diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 341acde2d..fef4717f5 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -2018,6 +2018,7 @@ if (!continue_hostname) { case OK: sx->conn_args.dane = TRUE; ob->tls_tempfail_tryclear = FALSE; + ob->tls_sni = sx->addrlist->domain; break; case FAIL_FORCED: break; default: set_errno_nohost(sx->addrlist, ERRNO_DNSDEFER, |