summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/src/globals.c2
-rw-r--r--src/src/tls-gnu.c6
-rw-r--r--src/src/transports/smtp.c2
3 files changed, 7 insertions, 3 deletions
diff --git a/src/src/globals.c b/src/src/globals.c
index a7beec602..1b09008a1 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -166,7 +166,7 @@ uschar *tls_privatekey = NULL;
BOOL tls_remember_esmtp = FALSE;
uschar *tls_require_ciphers = NULL;
uschar *tls_try_verify_hosts = NULL;
-uschar *tls_verify_certificates= NULL;
+uschar *tls_verify_certificates= US"system";
uschar *tls_verify_hosts = NULL;
#endif
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 4943f48b7..42d04224a 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -853,7 +853,11 @@ error message is provided. However, if we just refrain from setting anything up
in that case, certificate verification fails, which seems to be the correct
behaviour. */
-if (state->tls_verify_certificates && *state->tls_verify_certificates)
+if ( state->tls_verify_certificates && *state->tls_verify_certificates
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+ && Ustrcmp(state->exp_tls_verify_certificates, "system") != 0
+#endif
+ )
{
if (!expand_check_tlsvar(tls_verify_certificates))
return DEFER;
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index f57ee69d0..a455ba553 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -255,7 +255,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
NULL, /* gnutls_require_mac */
NULL, /* gnutls_require_proto */
NULL, /* tls_sni */
- NULL, /* tls_verify_certificates */
+ US"system", /* tls_verify_certificates */
EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
/* tls_dh_min_bits */
TRUE, /* tls_tempfail_tryclear */
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-30 01:57:08 +0000