[exim-cvs] OpenSSL fix empty tls_verify_certificates.

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Exim Git Commits Mailing List
Datum:  
To: exim-cvs
Betreff: [exim-cvs] OpenSSL fix empty tls_verify_certificates.
Gitweb: http://git.exim.org/exim.git/commitdiff/26e72755c101f59e24735e9ca9a320d5f1ebc2b7
Commit:     26e72755c101f59e24735e9ca9a320d5f1ebc2b7
Parent:     61147df48889217a1c1023d8c6e2431c24967686
Author:     Phil Pennock <pdp@???>
AuthorDate: Wed Mar 13 19:48:22 2013 -0400
Committer:  Phil Pennock <pdp@???>
CommitDate: Wed Mar 13 19:48:22 2013 -0400


    OpenSSL fix empty tls_verify_certificates.


    New behaviour matches GnuTLS handling, and is documented.


    Previously, a tls_verify_certificates expansion forced failure was the
    only portable way to avoid setting this option.  Now, an empty string is
    equivalent.
---
 doc/doc-docbook/spec.xfpt |    3 +++
 doc/doc-txt/ChangeLog     |    6 ++++++
 src/src/tls-openssl.c     |    2 +-
 3 files changed, 10 insertions(+), 1 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 9c03523..92d0a22 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16066,6 +16066,9 @@ use OpenSSL with a directory.

See &<<SECTtlssni>>& for discussion of when this option might be re-expanded.

+A forced expansion failure or setting to an empty string is equivalent to
+being unset.
+

 .option tls_verify_hosts main "host list&!!" unset
 .cindex "TLS" "client certificate verification"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c8155aa..a2e204d 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -175,6 +175,12 @@ PP/17 Update configure.default to handle IPv6 localhost better.
       Patch by Alain Williams (plus minor tweaks).
       Bugzilla 880.


+PP/18 OpenSSL made graceful with empty tls_verify_certificates setting.
+      This is now consistent with GnuTLS, and is now documented: the
+      previous undocumented portable approach to treating the option as
+      unset was to force an expansion failure.  That still works, and
+      an empty string is now equivalent.
+


Exim version 4.80.1
-------------------
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index d879f08..42afd39 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1008,7 +1008,7 @@ uschar *expcerts, *expcrl;
if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
return DEFER;

-if (expcerts != NULL)
+if (expcerts != NULL && *expcerts != '\0')
{
struct stat statbuf;
if (!SSL_CTX_set_default_verify_paths(sctx))