[exim-cvs] OpenSSL: avoid loading server's CA-list-for-clie…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] OpenSSL: avoid loading server's CA-list-for-client-notification on client
Gitweb: https://git.exim.org/exim.git/commitdiff/d06f582fd0714042fcc110c9e0f7665657bb9da5
Commit:     d06f582fd0714042fcc110c9e0f7665657bb9da5
Parent:     c06ddd664f4a0f6e485f6f9f6b5086aa4719a441
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Fri Mar 27 21:07:50 2020 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Fri Mar 27 21:07:50 2020 +0000


    OpenSSL: avoid loading server's CA-list-for-client-notification on client
---
 src/src/tls-openssl.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)


diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 99d3f87..af5d952 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2498,7 +2498,7 @@ This is inconsistent with the need to verify the OCSP proof of the server cert.
 #endif
     }


-      /* If a certificate file is empty, the next function fails with an
+      /* If a certificate file is empty, the load function fails with an
       unhelpful error message. If we skip it, we get the correct behaviour (no
       certificates are recognized, but the error message is still misleading (it
       says no certificate was supplied).  But this is better. */
@@ -2507,9 +2507,9 @@ This is inconsistent with the need to verify the OCSP proof of the server cert.
          && !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
     return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);


-      /* Load the list of CAs for which we will accept certs, for sending
-      to the client.  This is only for the one-file tls_verify_certificates
-      variant.
+      /* On the server load the list of CAs for which we will accept certs, for
+      sending to the client.  This is only for the one-file
+      tls_verify_certificates variant.
       If a list isn't loaded into the server, but some verify locations are set,
       the server end appears to make a wildcard request for client certs.
       Meanwhile, the client library as default behaviour *ignores* the list
@@ -2521,7 +2521,7 @@ This is inconsistent with the need to verify the OCSP proof of the server cert.
     {
     STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);


-    SSL_CTX_set_client_CA_list(sctx, names);
+    if (!host) SSL_CTX_set_client_CA_list(sctx, names);
     DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
                     sk_X509_NAME_num(names));
     }