Re: [exim] 4.95 RC0 - gnutls outgoing TLS cert verification …

Góra strony
Delete this message
Reply to this message
Autor: Jeremy Harris
Data:  
Dla: exim-users
Temat: Re: [exim] 4.95 RC0 - gnutls outgoing TLS cert verification broken
On 19/07/2021 07:29, Andreas Metzler via Exim-users wrote:
> On 2021-07-19 Andreas Metzler <eximusers@???> wrote:
> [...]
>> with 4.92.2
>> tls_verify_certificates = system
>> and 4.95 rc0
>> tls_verify_certificates =
>
> Hello,
>
> SUPPORT_SYSDEFAULT_CABUNDLE is #defined in src/tls-gnu.c
> #if GNUTLS_VERSION_NUMBER >= 0x030014
> # define SUPPORT_SYSDEFAULT_CABUNDLE
> #endif
> but checked for in (in vain) in src/transports/smtp.c and src/globals.c.


Thanks for tracing this.
Proposed fix attached.
--
Cheers,
Jeremy
diff --git a/src/src/globals.c b/src/src/globals.c
index 1e12bcb92..c3e8a16cf 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -147,11 +147,7 @@ uschar *tls_require_ciphers    = NULL;
 uschar *tls_resumption_hosts   = NULL;
 # endif
 uschar *tls_try_verify_hosts   = NULL;
-#if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS)
 uschar *tls_verify_certificates= US"system";
-#else
-uschar *tls_verify_certificates= NULL;
-#endif
 uschar *tls_verify_hosts       = NULL;
 int     tls_watch_fd           = -1;
 time_t  tls_watch_trigger_time = (time_t)0;
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index b9f8d2a51..7d434f6af 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1526,9 +1526,14 @@ else if (  !tls_certificate && !tls_privatekey
 else
   DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");


-/* If tls_verify_certificates is non-empty and has no $, load CAs */
+/* If tls_verify_certificates is non-empty and has no $, load CAs.
+If none was configured and we can't handle "system", treat as empty. */

-if (opt_set_and_noexpand(tls_verify_certificates))
+if (  opt_set_and_noexpand(tls_verify_certificates)
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+   && Ustrcmp(tls_verify_certificates, "system") != 0
+#endif
+   )
   {
   if (tls_set_watch(tls_verify_certificates, FALSE))
     {
@@ -1632,7 +1637,14 @@ else
   DEBUG(D_tls)
     debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name);


-if (opt_set_and_noexpand(ob->tls_verify_certificates))
+/* If tls_verify_certificates is non-empty and has no $, load CAs.
+If none was configured and we can't handle "system", treat as empty. */
+
+if (  opt_set_and_noexpand(ob->tls_verify_certificates)
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+   && Ustrcmp(ob->tls_verify_certificates, "system") != 0
+#endif
+   )
   {
   if (!watch || tls_set_watch(ob->tls_verify_certificates, FALSE))
     {
@@ -1848,7 +1860,8 @@ else
 provided. Experiment shows that, if the certificate file is empty, an unhelpful
 error message is provided. However, if we just refrain from setting anything up
 in that case, certificate verification fails, which seems to be the correct
-behaviour. */
+behaviour.
+If none was configured and we can't handle "system", treat as empty. */


 if (!state->lib_state.cabundle)
   {
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index c62de724d..a121e34ae 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -194,9 +194,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   .keepalive =            TRUE,
   .retry_include_ip_address =    TRUE,
 #ifndef DISABLE_TLS
-# if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS)
   .tls_verify_certificates =    US"system",
-# endif
   .tls_dh_min_bits =        EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
   .tls_tempfail_tryclear =    TRUE,
   .tls_try_verify_hosts =    US"*",
diff --git a/test/runtest b/test/runtest
index 6f142c540..9bde9046f 100755
--- a/test/runtest
+++ b/test/runtest
@@ -1096,6 +1096,9 @@ RESET_AFTER_EXTRA_LINE_READ:
     next if /^GnuTLS<2>: added \d+ protocols, \d+ ciphersuites, \d+ sig algos and \d+ groups into priority list$/;
     next if /^GnuTLS<2>: (Disabling X.509 extensions|signing structure using RSA-SHA256)/;
     next if /^GnuTLS.*(wrap_nettle_mpi_print|gnutls_subject_alt_names_get|get_alt_name)/;
+    next if /^GnuTLS<[23]>: (p11|ASSERT: pkcs11.c|Initializing needed PKCS #11 modules)/;
+    next if /^Added \d{3} certificate authorities/;
+    next if /^TLS: not preloading CRL for server/;


     # only kevent platforms (FreeBSD, OpenBSD) say this
     next if /^watch dir/;