Age | Commit message (Collapse) | Author |
|
|
|
* ocsp_staple_rollup:
tidying
OCSP-stapling enhancement and testing.
|
|
|
|
Reported by Heiko Schlichting.
fixes 1345
|
|
Note that this function is never going to be called pre-fork unless the
admin is doing something highly unusual with ${randint:..} in a context
evaluated in the listening daemon. Other forks should result in a
re-exec(), thus resetting state.
Nonetheless, be more cautious, explicitly reset state.
Fix per PostgreSQL.
PS: why does OpenSSL not document RAND_cleanup() on the same page as all
the other entropy pool maintenance functions?
|
|
Work by J. Nick Koston, for cPanel, Inc.
|
|
|
|
Normally when a router redirects an address directly to a pipe command
the command option on the transport is ignored. If force_command
is set, the command option will expanded and used. This is especially
useful for forcing a wrapper or additional argument to be added to the
command.
|
|
Server:
Honor environment variable as well as running_in_test_harness in permitting bogus staplings
Update server tests
Add "-ocsp" option to client-ssl.
Server side: add verification of stapled status.
First cut server-mode ocsp testing.
Fix some uninitialized ocsp-related data.
Client (new):
Verify stapling using only the chain that verified the server cert, not any acceptable chain.
Add check for multiple responses in a stapling, which is not handled
Refuse verification on expired and revoking staplings.
Handle OCSP client refusal on lack of stapling from server.
More fixing in client OCSP: use the server cert signing chain to verify the OCSP info.
Add transport hosts_require_ocsp option.
Log stapling responses.
Start on tests for client-side.
Testing support:
Add CRL generation code and documentation update
Initial CA & certificate set for testing.
BUGFIX:
Once a single OCSP response has been extracted the validation
routine return code is no longer about the structure, but the actual
returned OCSP status.
|
|
This per Tony's suggestion; this makes it clearer that we are merely
setting resolver flags, not performing validation ourselves.
Well, clearer to those who understand DNSSEC. For everyone else,
they'll still be dependent upon a forthcoming new chapter to the
Specification.
|
|
New behaviour matches GnuTLS handling, and is documented.
Previously, a tls_verify_certificates expansion forced failure was the
only portable way to avoid setting this option. Now, an empty string is
equivalent.
|
|
Resolves:
gcc receive.c
receive.c:520: warning: 'smtp_user_msg' defined but not used
|
|
Base patch by Alain Williams.
Tweaked, to avoid putting an IPv6-dependency into the default
uncommented form, and some rewording.
Bugzilla 880.
GitHub PR #1.
|
|
|
|
Issue debugged by Todd Lyons, this fix from me.
|
|
|
|
|
|
|
|
|
|
|
|
Define SIOCGIFCONF_GIVES_ADDR in OS/os.h-GNU
Fixes 1331.
|
|
JH has made more changes than he realised. New second JH/11 to JH/13.
|
|
The router name is explicitly nulled after the router exits;
the transport name is set only in the subprocess it runs in.
|
|
|
|
Wondering why you wrote some code and having to grep the source code to find out,
in the same year that you wrote it, is generally a sign of missing information.
Fixed.
|
|
|
|
|
|
|
|
Mostly typos.
Was one instance of "which a future release of Exim will probably support"
which should already have been "which Exim now supports". Doh. Fixed
too.
|
|
|
|
Missing step for adding a new lookup noticed by Paul Gamble.
|
|
Caught by Jeremy; was wrong in (my) original commit, the dual-TLS work
had just renamed the variables and theoretically made it more visible.
I still missed it.
The server_sni context initialisation was setting the OCSP status
callback context parameter back on the original server_ctx instead of
the new server_sni context.
I guess OCSP and SNI aren't being used together in Exim much yet.
|
|
|
|
|
|
|
|
This was noticable when re-building as a non-privileged user
after installing as root; lookups/Makefile had been rebuilt
by root and when it was rebuilt again by the unprivileged user
`mv` demanded confirmation before overwriting the file.
|
|
|
|
|
|
|
|
Most of these are due to the changes in the logging of
ultimate timeout checks.
Test 0548 is more meaningfully affected. The test originally
failed to spot that the recipient-specific deferrals pushed
past the ultimate retry timeout.
|
|
|
|
|
|
|
|
This reverts commit fee685ddb4cb1a995556b5cc35df907ae7a8ad62.
|
|
|
|
Only do the ultimate address timeout check if there is an address
retry record and there is not a domain retry record; this implies
that previous attempts to handle the address had the retry_use_local_parts
option turned on. We use this as an approximation for the destination
being like a local delivery, as in LMTP.
|
|
Test 0254 submits a message to Exim with the header
Resent-From: f
When I ran the test suite under the user fanf2, Exim expanded
the header to contain my full name, whereas it should have added
a Resent-Sender: header. It erroneously treats any prefix of the
username as equal to the username.
This change corrects that bug.
|
|
|
|
|
|
|