------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1371
Summary: tls_try_verify_hosts missing for smtp_transport
Product: Exim
Version: 4.80.1
Platform: Other
OS/Version: Linux
Status: NEW
Severity: bug
Priority: medium
Component: TLS
AssignedTo: pdp@???
ReportedBy: wbreyha@???
CC: exim-dev@???
Created an attachment (id=643)
--> (
http://bugs.exim.org/attachment.cgi?id=643)
implements tls_(try_)verify_hosts for smtp_transport for 4.80.1
As discussed on exim-users already...
smtp transport is missing something like tls_try_verify_hosts and
tls_verify_hosts to avoid droping a SSL-connection if verification of of the
server cert fails.
Currently exim tries to verify server certs as soon as tls_certificates is set.
Since there are many servers (even big ones like linkedin.com) with broken SSL
setup many connections stop using SSL.
The attached patch fixes this. It tries to get exactly the same behaviour as
client cert verification on incoming connection.
Setting tls_certificates only now triggers no verification at all.
Setting tls_try_verify_hosts in smtp transport does exactly the same as the
global option.
Some for tls_verify_hosts.
I tried for both gnutls and openssl to
*) set none of both while tls_certificates was set.
*) set tls_try_verify_hosts = *
*) set try_verify_hosts = *
Both did at least what I expected;-)
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email