[Exim] [patch] $tls_certificate_verified

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Matt Bernstein
Dátum:  
Címzett: exim-users
Tárgy: [Exim] [patch] $tls_certificate_verified
This patch allows this variable (I switched it from a BOOL to an int to
make it behave like $host_lookup_failed..I think--it's late).

$tls_certificate_verified: This variable contains ``1'' if the SMTP
connection is encrypted and the client provides a certificate which is
successfully verified. Otherwise the value of the variable is ``0''.

Haven't tested it the other way around (ie verifying server certs).

Example usage (AUTH EXTERNAL):

external:
driver = plaintext
public_name = EXTERNAL
server_condition = ${if eq{$tls_certificate_verified}{1}{yes}{no}}
server_set_id = ${if match{$tls_peerdn}{\N/CN=(.+)/\N}{$1}fail}

I really wanted the regex [^/]CN=(.+)[/$] but my brain is too scrambled to
escape it properly. Hints appreciated.. ..alternatively the $tls_peercn
that SRH posted a patch for..

My patch assumes you're in src/ (sorry).

--- acl.c~    Mon Jul 22 09:59:47 2002
+++ acl.c    Wed Sep 11 23:44:42 2002
@@ -436,7 +436,7 @@
 mandatory verification, the connection doesn't last this long.) */


if (strcmpic(ss, US"certificate") == 0)
- return tls_certificate_verified? OK : FAIL;
+ return (tls_certificate_verified == 1)? OK : FAIL;

/* We can test the result of optional HELO verification */

--- expand.c~    Mon Jul 22 09:59:48 2002
+++ expand.c    Wed Sep 11 23:43:08 2002
@@ -246,6 +246,7 @@
   { "spool_directory",     vtype_stringptr,   &spool_directory },
   { "thisaddress",         vtype_stringptr,   &filter_thisaddress },
 #ifdef SUPPORT_TLS
+  { "tls_certificate_verified",vtype_int,     &tls_certificate_verified },
   { "tls_cipher",          vtype_stringptr,   &tls_cipher },
   { "tls_peerdn",          vtype_stringptr,   &tls_peerdn },
 #endif
--- globals.c~    Mon Jul 22 09:59:48 2002
+++ globals.c    Wed Sep 11 23:46:18 2002
@@ -83,7 +83,7 @@
 them. */


 BOOL    tls_active             = -1;
-BOOL    tls_certificate_verified = FALSE;
+int     tls_certificate_verified = 0;
 uschar *tls_cipher             = NULL;


 #ifdef SUPPORT_TLS
--- globals.h~    Mon Jul 22 09:59:49 2002
+++ globals.h    Wed Sep 11 23:47:12 2002
@@ -48,7 +48,7 @@
 them. */


 extern int     tls_active;             /* fd/socket when in a TLS session */
-extern BOOL    tls_certificate_verified; /* Client certificate verified */
+extern int     tls_certificate_verified; /* Client certificate verified */
 extern uschar *tls_cipher;             /* Cipher used */


 #ifdef SUPPORT_TLS
--- tls.c~    Mon Jul 22 09:59:51 2002
+++ tls.c    Wed Sep 11 23:47:49 2002
@@ -196,7 +196,7 @@
   tls_peerdn = txt;
   }


-if (!verify_callback_called) tls_certificate_verified = TRUE;
+if (!verify_callback_called) tls_certificate_verified = 1;
verify_callback_called = TRUE;

return 1; /* accept */