[exim-dev] [Bug 1371] New: tls_try_verify_hosts missing for …

Top Page
Delete this message
Reply to this message
Author: Wolfgang Breyha
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 1371] tls_try_verify_hosts missing for smtp_transport, [exim-dev] [Bug 1371] tls_try_verify_hosts missing for smtp_transport, [exim-dev] [Bug 1371] tls_try_verify_hosts missing for smtp_transport under GnuTLS, [exim-dev] [Bug 1371] tls_try_verify_hosts missing for smtp_transport under GnuTLS, [exim-dev] [Bug 1371] tls_try_verify_hosts missing for smtp_transport under GnuTLS, [exim-dev] [Bug 1371] tls_try_verify_hosts missing for smtp_transport under GnuTLS, [exim-dev] [Bug 1371] tls_try_verify_hosts missing for smtp_transport, [exim-dev] [Bug 1371] tls_try_verify_hosts missing for smtp_transport under GnuTLS, [exim-dev] [Bug 1371] tls_try_verify_hosts missing for smtp_transport under GnuTLS
Subject: [exim-dev] [Bug 1371] New: tls_try_verify_hosts missing for smtp_transport
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1371
           Summary: tls_try_verify_hosts missing for smtp_transport
           Product: Exim
           Version: 4.80.1
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: TLS
        AssignedTo: pdp@???
        ReportedBy: wbreyha@???
                CC: exim-dev@???



Created an attachment (id=643)
--> (http://bugs.exim.org/attachment.cgi?id=643)
implements tls_(try_)verify_hosts for smtp_transport for 4.80.1

As discussed on exim-users already...

smtp transport is missing something like tls_try_verify_hosts and
tls_verify_hosts to avoid droping a SSL-connection if verification of of the
server cert fails.

Currently exim tries to verify server certs as soon as tls_certificates is set.
Since there are many servers (even big ones like linkedin.com) with broken SSL
setup many connections stop using SSL.

The attached patch fixes this. It tries to get exactly the same behaviour as
client cert verification on incoming connection.

Setting tls_certificates only now triggers no verification at all.
Setting tls_try_verify_hosts in smtp transport does exactly the same as the
global option.
Some for tls_verify_hosts.

I tried for both gnutls and openssl to
*) set none of both while tls_certificates was set.
*) set tls_try_verify_hosts = *
*) set try_verify_hosts = *

Both did at least what I expected;-)


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email