summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/src/tls-gnu.c21
1 files changed, 15 insertions, 6 deletions
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 9f166691a..8c8a00f72 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1573,7 +1573,7 @@ Returns:
*/
static BOOL
-verify_certificate(exim_gnutls_state_st *state, uschar ** errstr)
+verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
{
int rc;
uint verify;
@@ -1625,6 +1625,16 @@ else
goto badcert;
}
state->peer_dane_verified = TRUE;
+
+ /* If there were only EE-mode TLSA records present, no checks on cert anchor
+ valididation or cert names are required. For a TA record only, or a mixed
+ set, do them (we cannot tell if an EE record worked). */
+
+ if (!(tls_out.tlsa_usage & (1 << 2)))
+ {
+ state->peer_cert_verified = TRUE;
+ goto goodcert;
+ }
}
#endif
@@ -1633,9 +1643,7 @@ else
/* Handle the result of verification. INVALID is set if any others are. */
-if (rc < 0 ||
- verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
- )
+if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
{
state->peer_cert_verified = FALSE;
if (!*errstr)
@@ -1676,8 +1684,9 @@ else
state->peerdn ? state->peerdn : US"<unset>");
}
-state->tlsp->peerdn = state->peerdn;
-return TRUE;
+goodcert:
+ state->tlsp->peerdn = state->peerdn;
+ return TRUE;
badcert:
gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-10 18:37:00 +0000