Gitweb:
http://git.exim.org/exim.git/commitdiff/0a92f87f7d62bb4f83fef5b8b10513cdd923fc2e
Commit: 0a92f87f7d62bb4f83fef5b8b10513cdd923fc2e
Parent: 93d4b03a2d9da8858f33c445b57128ef890f77fe
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Mon Apr 21 16:34:01 2014 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Mon Apr 21 16:42:45 2014 +0100
Fix testcase "server missing/empty certificate file"
GnuTLS early versions (pre 3.0.0 ?) fail to send a reasonable
client-cert request when tls_verify_certificates is an empty file.
Since the test is for missing *server* certs (tls_certificate)
avoid this by pointing to a real (if non-verifying) cert in
tls_verify_certificates.
---
src/src/tls-gnu.c | 14 ++++++--------
test/confs/2024 | 3 ++-
test/log/2024 | 2 +-
test/stdout/2024 | 2 +-
4 files changed, 10 insertions(+), 11 deletions(-)
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 7c36252..cbd44d6 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1228,25 +1228,23 @@ unsigned int verify;
*error = NULL;
-rc = peer_status(state);
-if (rc != OK)
+if ((rc = peer_status(state)) != OK)
{
verify = GNUTLS_CERT_INVALID;
- *error = "not supplied";
+ *error = "certificate not supplied";
}
else
- {
rc = gnutls_certificate_verify_peers2(state->session, &verify);
- }
/* Handle the result of verification. INVALID seems to be set as well
as REVOKED, but leave the test for both. */
-if ((rc < 0) || (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) != 0)
+if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
{
state->peer_cert_verified = FALSE;
- if (*error == NULL)
- *error = ((verify & GNUTLS_CERT_REVOKED) != 0) ? "revoked" : "invalid";
+ if (!*error)
+ *error = verify & GNUTLS_CERT_REVOKED
+ ? "certificate revoked" : "certificate invalid";
DEBUG(D_tls)
debug_printf("TLS certificate verification failed (%s): peerdn=%s\n",
diff --git a/test/confs/2024 b/test/confs/2024
index a677c4c..c59e975 100644
--- a/test/confs/2024
+++ b/test/confs/2024
@@ -24,6 +24,7 @@ tls_certificate = CERT
tls_privatekey = CERT
tls_verify_hosts = HOSTIPV4
-tls_verify_certificates = TVC
+#tls_verify_certificates = TVC
+tls_verify_certificates = CERT
# End
diff --git a/test/log/2024 b/test/log/2024
index c45da6e..117382b 100644
--- a/test/log/2024
+++ b/test/log/2024
@@ -1,4 +1,4 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (gnutls_handshake): The peer did not send any certificate.
+1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (certificate verification failed): certificate invalid
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
1999-03-02 09:44:33 TLS error on connection from (rhu.barb) [ip4.ip4.ip4.ip4] (cert/key setup: cert=/non/exist key=/non/exist): Error while reading file.
diff --git a/test/stdout/2024 b/test/stdout/2024
index 2e30f7d..ecedd41 100644
--- a/test/stdout/2024
+++ b/test/stdout/2024
@@ -20,7 +20,7 @@ Key file = aux-fixed/cert2
??? 220
<<< 220 TLS go ahead
Attempting to start TLS
-Failed to start TLS
+Succeeded in starting TLS
End of script
Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
Certificate file = aux-fixed/cert2
