[exim-cvs] Make "system" location for certificate CA bundle …

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Make "system" location for certificate CA bundle the default
Gitweb: http://git.exim.org/exim.git/commitdiff/0e0f3f562bf23cf035baf85cdd071d392751b676
Commit:     0e0f3f562bf23cf035baf85cdd071d392751b676
Parent:     cb1d783072c488a4a558607b2ee122efba95aa4b
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Nov 23 16:58:06 2014 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon Jan 12 18:58:34 2015 +0000


    Make "system" location for certificate CA bundle the default
---
 doc/doc-docbook/spec.xfpt |   12 +++++++-----
 doc/doc-txt/ChangeLog     |    2 +-
 src/src/globals.c         |    2 +-
 src/src/tls-gnu.c         |    6 +++++-
 src/src/transports/smtp.c |    2 +-
 5 files changed, 15 insertions(+), 9 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index dc7e4f7..7dfc4d6 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -16478,7 +16478,7 @@ preference order of the available ciphers. Details are given in sections
See &%tls_verify_hosts%& below.


-.option tls_verify_certificates main string&!! unset
+.option tls_verify_certificates main string&!! system
.cindex "TLS" "client certificate verification"
.cindex "certificate" "verification of client"
The value of this option is expanded, and must then be either the
@@ -16489,7 +16489,8 @@ match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&.

The "system" value for the option will use a
system default location compiled into the SSL library.
-This is not available for GnuTLS versions preceding 3.0.20 and an explicit location
+This is not available for GnuTLS versions preceding 3.0.20,
+and will be taken as empty; an explicit location
must be specified.

The use of a directory for the option value is not avilable for GnuTLS versions
@@ -23458,7 +23459,7 @@ limited to being the initial component of a 3-or-more component FQDN.
There is no equivalent checking on client certificates.


-.option tls_verify_certificates smtp string&!! unset
+.option tls_verify_certificates smtp string&!! system
.cindex "TLS" "server certificate verification"
.cindex "certificate" "verification of server"
.vindex "&$host$&"
@@ -23470,7 +23471,8 @@ a file or directory containing permitted certificates for servers,
for use when setting up an encrypted connection.

The "system" value for the option will use a location compiled into the SSL library.
-This is not available for GnuTLS versions preceding 3.0.20 and an explicit location
+This is not available for GnuTLS versions preceding 3.0.20; a value of "system"
+is taken as empty and an explicit location
must be specified.

The use of a directory for the option value is not avilable for GnuTLS versions
@@ -26479,7 +26481,7 @@ if it requests it. If the server is Exim, it will request a certificate only if
&%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client.

 If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it
-specified a collection of expected server certificates.
+specifies a collection of expected server certificates.
 These may be the system default set (depeding on library version),
 a file or,
 depnding on liibrary version, a directory,
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index f2954b9..76d18a8 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -18,7 +18,7 @@ JH/04 Certificate name checking on server certificates, when exim is a client,
       EXPERIMENTAL_CERTNAMES is withdrawn.


 JH/05 The value of the tls_verify_certificates smtp transport and main options
-      can now be the word "system" to access the system default CA bundle.
+      default to the word "system" to access the system default CA bundle.
       For GnuTLS, only version 3.0.20 or later.



diff --git a/src/src/globals.c b/src/src/globals.c
index a7beec6..1b09008 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -166,7 +166,7 @@ uschar *tls_privatekey         = NULL;
 BOOL    tls_remember_esmtp     = FALSE;
 uschar *tls_require_ciphers    = NULL;
 uschar *tls_try_verify_hosts   = NULL;
-uschar *tls_verify_certificates= NULL;
+uschar *tls_verify_certificates= US"system";
 uschar *tls_verify_hosts       = NULL;
 #endif


diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 4943f48..42d0422 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -853,7 +853,11 @@ error message is provided. However, if we just refrain from setting anything up
in that case, certificate verification fails, which seems to be the correct
behaviour. */

-if (state->tls_verify_certificates && *state->tls_verify_certificates)
+if (  state->tls_verify_certificates && *state->tls_verify_certificates
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+   && Ustrcmp(state->exp_tls_verify_certificates, "system") != 0
+#endif
+   )
   {
   if (!expand_check_tlsvar(tls_verify_certificates))
     return DEFER;
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index f57ee69..a455ba5 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -255,7 +255,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   NULL,                /* gnutls_require_mac */
   NULL,                /* gnutls_require_proto */
   NULL,                /* tls_sni */
-  NULL,                /* tls_verify_certificates */
+  US"system",          /* tls_verify_certificates */
   EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
                        /* tls_dh_min_bits */
   TRUE,                /* tls_tempfail_tryclear */