summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/doc-txt/experimental-spec.txt7
-rw-r--r--src/src/tls-gnu.c10
-rw-r--r--src/src/tls-openssl.c10
-rw-r--r--test/confs/544017
-rw-r--r--test/confs/545017
-rw-r--r--test/log/54408
-rw-r--r--test/log/545014
-rw-r--r--test/scripts/5440-certnames-GnuTLS/54404
-rw-r--r--test/scripts/5450-certnames-OpenSSL/54505
9 files changed, 49 insertions, 43 deletions
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 266e19891..f6529c6e2 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1154,14 +1154,17 @@ support to date has not made these checks.
If built with EXPERIMENTAL_CERTNAMES defined, code is
included to do so for server certificates, and a new smtp transport option
-"tls_verify_cert_hostnames" supported which takes a list of
-names for which the additional checks must be made.
+"tls_verify_cert_hostnames" supported which takes a hostlist
+which must match the target host for the additional checks must be made.
The option currently defaults to empty, but this may change in
the future. "*" is probably a suitable value.
Whether certificate verification is done at all, and the result of
it failing, is stll under the control of "tls_verify_hosts" nad
"tls_try_verify_hosts".
+The name being checked is that for the host, generally
+the result of an MX lookup.
+
Both Subject and Subject-Alternate-Name certificate fields
are supported, as are wildcard certificates (limited to
a single wildcard being the initial component of a 3-or-more
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 04de02d74..093b3a375 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1846,17 +1846,13 @@ if (( state->exp_tls_verify_certificates
)
{
#ifdef EXPERIMENTAL_CERTNAMES
- if (ob->tls_verify_cert_hostnames)
+ if (verify_check_host(&ob->tls_verify_cert_hostnames) == OK)
{
DEBUG(D_tls)
debug_printf("TLS: server cert incl. hostname verification required.\n");
state->verify_requirement = VERIFY_WITHHOST;
- if (!expand_check(ob->tls_verify_cert_hostnames,
- US"tls_verify_cert_hostnames",
- &state->exp_tls_verify_cert_hostnames))
- return FAIL;
- if (state->exp_tls_verify_cert_hostnames)
- DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
+ state->exp_tls_verify_cert_hostnames = host->name;
+ DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
state->exp_tls_verify_cert_hostnames);
}
else
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 63bf83b1d..628860044 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1692,14 +1692,10 @@ if ((!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) ||
client_verify_optional = FALSE;
#ifdef EXPERIMENTAL_CERTNAMES
- if (ob->tls_verify_cert_hostnames)
+ if (verify_check_host(&ob->tls_verify_cert_hostnames) == OK)
{
- if (!expand_check(ob->tls_verify_cert_hostnames,
- US"tls_verify_cert_hostnames",
- &cbinfo->verify_cert_hostnames))
- return FAIL;
- if (cbinfo->verify_cert_hostnames)
- DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
+ cbinfo->verify_cert_hostnames = host->name;
+ DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
cbinfo->verify_cert_hostnames);
}
#endif
diff --git a/test/confs/5440 b/test/confs/5440
index 03d9916fb..01ba52532 100644
--- a/test/confs/5440
+++ b/test/confs/5440
@@ -1,5 +1,5 @@
# Exim test configuration 5440
-# TLS client: verify certificate from server - fails
+# TLS client: verify certificate from server - name-fails
SERVER=
@@ -131,11 +131,12 @@ send_to_server_crypt:
tls_verify_certificates = CA2
tls_try_verify_hosts = *
-# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+# this will fail to verify the cert at HOSTNAME and fallback to unencrypted
+# Fail due to lack of correct CA
send_to_server_req_fail:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
@@ -144,29 +145,31 @@ send_to_server_req_fail:
tls_verify_hosts = *
# this will fail to verify the cert name and fallback to unencrypted
+# fail because the cert is "server1.example.com" and the test system is something else
send_to_server_req_failname:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA1
- tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_cert_hostnames = *
tls_verify_hosts = *
# this will pass the cert verify including name check
+# our stunt DNS has an A record for server1.example.com -> HOSTIPV4
send_to_server_req_passname:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = server1.example.com
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA1
- tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_cert_hostnames = *
tls_verify_hosts = *
# End
diff --git a/test/confs/5450 b/test/confs/5450
index e737cf36d..dd42a3fb1 100644
--- a/test/confs/5450
+++ b/test/confs/5450
@@ -1,5 +1,5 @@
# Exim test configuration 5450
-# TLS client: verify certificate from server - fails
+# TLS client: verify certificate from server - name-fails
SERVER=
@@ -131,11 +131,12 @@ send_to_server_crypt:
tls_verify_certificates = CA2
tls_try_verify_hosts = *
-# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
+# this will fail to verify the cert at HOSTNAME and fallback to unencrypted
+# Fail due to lack of correct CA
send_to_server_req_fail:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
@@ -144,29 +145,31 @@ send_to_server_req_fail:
tls_verify_hosts = *
# this will fail to verify the cert name and fallback to unencrypted
+# fail because the cert is "server1.example.com" and the test system is something else
send_to_server_req_failname:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = HOSTNAME
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA1
- tls_verify_cert_hostnames = server1.example.net : server1.example.org
+ tls_verify_cert_hostnames = *
tls_verify_hosts = *
# this will pass the cert verify including name check
+# our stunt DNS has an A record for server1.example.com -> HOSTIPV4
send_to_server_req_passname:
driver = smtp
allow_localhost
- hosts = HOSTIPV4
+ hosts = server1.example.com
port = PORT_D
tls_certificate = CERT2
tls_privatekey = CERT2
tls_verify_certificates = CA1
- tls_verify_cert_hostnames = noway.example.com : server1.example.com
+ tls_verify_cert_hostnames = *
tls_verify_hosts = *
# End
diff --git a/test/log/5440 b/test/log/5440
index b90e6edb3..f084e82a9 100644
--- a/test/log/5440
+++ b/test/log/5440
@@ -1,11 +1,11 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed)
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmaZ-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (certificate verification failed)
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmaZ-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 CV=yes DN="CN=server1.example.com" C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/log/5450 b/test/log/5450
index 243215335..d56307a19 100644
--- a/test/log/5450
+++ b/test/log/5450
@@ -3,17 +3,17 @@
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local S=sss
1999-03-02 09:44:33 Start queue run: pid=pppp -qf
1999-03-02 09:44:33 10HmaX-0005vi-00 SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=server1.example.com
-1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaX-0005vi-00 => userq@test.ex R=client_q T=send_to_server_req_fail H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbA-0005vi-00"
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
1999-03-02 09:44:33 10HmaY-0005vi-00 SSL verify error: certificate name mismatch: "/CN=server1.example.com"
-1999-03-02 09:44:33 10HmaY-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
-1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 H=the.local.host.name [ip4.ip4.ip4.ip4] TLS error on connection (SSL_connect): error: <<detail omitted>>
+1999-03-02 09:44:33 10HmaY-0005vi-00 TLS session failure: delivering unencrypted to the.local.host.name [ip4.ip4.ip4.ip4] (not in hosts_require_tls)
+1999-03-02 09:44:33 10HmaY-0005vi-00 => userr@test.ex R=client_r T=send_to_server_req_failname H=the.local.host.name [ip4.ip4.ip4.ip4] C="250 OK id=10HmbB-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => users@test.ex R=client_s T=send_to_server_req_passname H=server1.example.com [ip4.ip4.ip4.ip4] X=TLSv1:AES256-SHA:256 CV=yes DN="/CN=server1.example.com" C="250 OK id=10HmbC-0005vi-00"
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf
diff --git a/test/scripts/5440-certnames-GnuTLS/5440 b/test/scripts/5440-certnames-GnuTLS/5440
index fea9551c0..2a61eb1d0 100644
--- a/test/scripts/5440-certnames-GnuTLS/5440
+++ b/test/scripts/5440-certnames-GnuTLS/5440
@@ -1,10 +1,12 @@
-# TLS client: verify certificate from server - fails
+# TLS client: verify certificate from server - name-fails
gnutls
exim -DSERVER=server -bd -oX PORT_D
****
+# this will fail to verify the cert name and fallback to unencrypted
exim userr@test.ex
Testing
****
+# this will pass the cert verify including name check
exim users@test.ex
Testing
****
diff --git a/test/scripts/5450-certnames-OpenSSL/5450 b/test/scripts/5450-certnames-OpenSSL/5450
index c94d1a5b2..5359096b1 100644
--- a/test/scripts/5450-certnames-OpenSSL/5450
+++ b/test/scripts/5450-certnames-OpenSSL/5450
@@ -1,12 +1,15 @@
-# TLS client: verify certificate from server - fails
+# TLS client: verify certificate from server - name-fails
exim -DSERVER=server -bd -oX PORT_D
****
+# this will fail to verify the cert at HOSTIPV4 and fallback to unencrypted
exim userq@test.ex
Testing
****
+# this will fail to verify the cert name and fallback to unencrypted
exim userr@test.ex
Testing
****
+# this will pass the cert verify including name check
exim users@test.ex
Testing
****