[exim-dev] [Bug 2389] tls_verify_certificates - with GnuTLS …

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Old-Topics: [exim-dev] [Bug 2389] New: tls_verify_certificates - with GnuTLS the CA list is sent no mater whether tls_verify_certificates points to dir or file
Subject: [exim-dev] [Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file
https://bugs.exim.org/show_bug.cgi?id=2389

Git Commit <git@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |git@???


--- Comment #8 from Git Commit <git@???> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/12d95aa62042377fc9f603245a17a43142972447

commit 12d95aa62042377fc9f603245a17a43142972447
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun May 19 12:12:36 2019 +0100
Commit:     Jeremy Harris <jgh146exb@???>
CommitDate: Sun May 19 12:12:36 2019 +0100


    GnuTLS: fix the advertising of acceptable certs by the server.  Bug 2389
---
 doc/doc-txt/ChangeLog | 4 ++++
 src/src/tls-gnu.c     | 8 ++++++++
 2 files changed, 12 insertions(+)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a204b37..98a4735 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -98,6 +98,10 @@ JH/19 Bug 2398: fix listing of a named-queue.  Previously,
even with the option
       queue_list_requires_admin set to false, non-admin users were denied the
       facility.


+JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
+      directory-of-certs mode.  Previously they were advertised despite the
+      documentation.
+


 Exim version 4.92
 -----------------
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index dc8cdab..423c3a2 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1143,6 +1143,14 @@ else
 #endif
     gnutls_certificate_set_x509_trust_file(state->x509_cred,
       CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+
+#ifdef SUPPORT_CA_DIR
+  /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
+  when using the directory-of-certs config model. */
+
+  if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+    gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
+#endif
   }


if (cert_count < 0)

--
You are receiving this mail because:
You are on the CC list for the bug.