From 31a4354e12b3bfc2d724f3b521aaa529710f5865 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 23 Nov 2014 16:58:06 +0000 Subject: Make "system" location for certificate CA bundle the default --- src/src/globals.c | 2 +- src/src/tls-gnu.c | 6 +++++- src/src/transports/smtp.c | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/src/globals.c b/src/src/globals.c index a7beec602..1b09008a1 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -166,7 +166,7 @@ uschar *tls_privatekey = NULL; BOOL tls_remember_esmtp = FALSE; uschar *tls_require_ciphers = NULL; uschar *tls_try_verify_hosts = NULL; -uschar *tls_verify_certificates= NULL; +uschar *tls_verify_certificates= US"system"; uschar *tls_verify_hosts = NULL; #endif diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 4943f48b7..42d04224a 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -853,7 +853,11 @@ error message is provided. However, if we just refrain from setting anything up in that case, certificate verification fails, which seems to be the correct behaviour. */ -if (state->tls_verify_certificates && *state->tls_verify_certificates) +if ( state->tls_verify_certificates && *state->tls_verify_certificates +#ifndef SUPPORT_SYSDEFAULT_CABUNDLE + && Ustrcmp(state->exp_tls_verify_certificates, "system") != 0 +#endif + ) { if (!expand_check_tlsvar(tls_verify_certificates)) return DEFER; diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index fe0e733f8..7bc0fa086 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -255,7 +255,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { NULL, /* gnutls_require_mac */ NULL, /* gnutls_require_proto */ NULL, /* tls_sni */ - NULL, /* tls_verify_certificates */ + US"system", /* tls_verify_certificates */ EXIM_CLIENT_DH_DEFAULT_MIN_BITS, /* tls_dh_min_bits */ TRUE, /* tls_tempfail_tryclear */ -- cgit v1.2.3