This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@??? for more info.
--
Hi there: I needed CRL support for exim 4, and I noted that gnutls had
added CRL support at some point, so I cobbled together this patch
(for the debian package) and sent it to the maintainer, who suggested I
post it here.
I also have a patch against openssl that I ported from one that someone
at work did, but it's more complicated and I haven't tested that one yet,
and it needs a little work anyway to make it work in a similar manner
to the gnutls patch.
Anyway, in addition to tweaking tls-gnu.c, the patch adds a config
variable, tls_crl, which should be a file containing all the PEM
encoded CRLs you want to use. [ cf tls_verify_certificates, which
should contain the PEM encoded CA certificates you want to use to
check client certs. ]
I have tried it with two different CA certs and CRLs simultaneously,
and it worked for me - hopefully it will be of some use to other people
too. If people are interested, I can supply the openssl patch too.
[ which will work slightly differently, in that tls_crl, like
tls_verify_certificates, will be allowed to be a directory name ]
--
vivek
--
Content-Description:
diff -ur exim4-4.30/src/globals.c exim4-4.30/src/globals.c
--- exim4-4.30/src/globals.c Mon Dec 1 10:15:41 2003
+++ exim4-4.30/src/globals.c Thu Jan 22 15:52:10 2004
@@ -98,6 +98,7 @@
const pcre *regex_STARTTLS = NULL;
uschar *tls_advertise_hosts = NULL; /* This is deliberate */
uschar *tls_certificate = NULL;
+uschar *tls_crl = NULL;
uschar *tls_dhparam = NULL;
BOOL tls_offered = FALSE;
BOOL tls_on_connect = FALSE;
diff -ur exim4-4.30/src/globals.h exim4-4.30/src/globals.h
--- exim4-4.30/src/globals.h Mon Dec 1 10:15:41 2003
+++ exim4-4.30/src/globals.h Thu Jan 22 15:52:10 2004
@@ -62,6 +62,7 @@
extern const pcre *regex_STARTTLS; /* For recognizing STARTTLS settings */
extern uschar *tls_advertise_hosts; /* host for which TLS is advertised */
extern uschar *tls_certificate; /* Certificate file */
+extern uschar *tls_crl; /* CRL File */
extern uschar *tls_dhparam; /* DH param file */
extern BOOL tls_offered; /* Server offered TLS */
extern BOOL tls_on_connect; /* For older MTAs that don't STARTTLS */
diff -ur exim4-4.30/src/readconf.c exim4-4.30/src/readconf.c
--- exim4-4.30/src/readconf.c Mon Dec 1 10:15:41 2003
+++ exim4-4.30/src/readconf.c Thu Jan 22 15:52:10 2004
@@ -332,6 +332,7 @@
#ifdef SUPPORT_TLS
{ "tls_advertise_hosts", opt_stringptr, &tls_advertise_hosts },
{ "tls_certificate", opt_stringptr, &tls_certificate },
+ { "tls_crl", opt_stringptr, &tls_crl },
{ "tls_dhparam", opt_stringptr, &tls_dhparam },
{ "tls_privatekey", opt_stringptr, &tls_privatekey },
{ "tls_remember_esmtp", opt_bool, &tls_remember_esmtp },
Only in exim4-4.30/src: sieve.c.orig
diff -ur exim4-4.30/src/tls-gnu.c exim4-4.30/src/tls-gnu.c
--- exim4-4.30/src/tls-gnu.c Mon Dec 1 10:15:41 2003
+++ exim4-4.30/src/tls-gnu.c Thu Jan 22 15:51:24 2004
@@ -203,9 +203,9 @@
/* Handle the result of verification. */
if ((verify & GNUTLS_CERT_NOT_TRUSTED) != 0 ||
- (verify & GNUTLS_CERT_INVALID) != 0 ||
- (verify & GNUTLS_CERT_CORRUPTED) != 0 ||
- (verify & GNUTLS_CERT_REVOKED) != 0)
+ (verify & GNUTLS_CERT_INVALID) != 0 ||
+ // (verify & GNUTLS_CERT_CORRUPTED) != 0 ||
+ (verify & GNUTLS_CERT_REVOKED) != 0 )
{
tls_certificate_verified = FALSE;
if (verify_requirement == VERIFY_REQUIRED)
@@ -426,7 +426,7 @@
tls_init(host_item *host, uschar *certificate, uschar *privatekey, uschar *cas)
{
int rc;
-uschar *cert_expanded, *key_expanded, *cas_expanded;
+uschar *cert_expanded, *key_expanded, *cas_expanded, *crl_expanded;
initialized = (host == NULL)? INITIALIZED_SERVER : INITIALIZED_CLIENT;
@@ -487,6 +487,18 @@
rc = gnutls_certificate_set_x509_trust_file(x509_cred, CS cas_expanded,
GNUTLS_X509_FMT_PEM);
if (rc < 0) return tls_error(US"setup_certs", host, rc);
+
+ /* +CRL support */
+ if ( tls_crl != NULL )
+ {
+ if (!expand_check(tls_crl, US"tls_crl", &crl_expanded))
+ return DEFER;
+ DEBUG(D_tls) debug_printf("Loading CRL file = %s\n", crl_expanded);
+ rc = gnutls_certificate_set_x509_crl_file(x509_cred, CS crl_expanded,
+ GNUTLS_X509_FMT_PEM );
+ if (rc < 0) return tls_error(US"CRL setup", host, rc);
+ }
+ /* -CRL support */
}
/* Associate the parameters with the x509 credentials structure. */
@@ -653,7 +665,7 @@
/* Now negotiate the TLS session. We put our own timer on it, since it seems
that the GnuTLS library doesn't. */
-gnutls_transport_set_ptr(tls_session, fileno(smtp_out));
+gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)fileno(smtp_out));
sigalrm_seen = FALSE;
if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
@@ -750,7 +762,7 @@
if (tls_session == NULL)
return tls_error(US "tls_session_init", host, GNUTLS_E_MEMORY_ERROR);
-gnutls_transport_set_ptr(tls_session, fd);
+gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)fd);
/* There doesn't seem to be a built-in timeout on connection. */
--
