Gitweb:
https://git.exim.org/exim.git/commitdiff/dbbc1c20b59dc10368e31a7c81f110eb40b36494
Commit: dbbc1c20b59dc10368e31a7c81f110eb40b36494
Parent: 1c18b2f733ed64d4dfa4b4cf391ba73bb86cf030
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Jul 22 22:01:10 2021 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Thu Jul 22 22:01:10 2021 +0100
TLS: fix tls_verify_certificates handling of "system"
A previous try at managing it for new-enough versions of GnuTLS actually
broke it for everything: 744170d4d3
---
src/src/globals.c | 4 ----
src/src/tls-gnu.c | 21 +++++++++++++++++----
src/src/transports/smtp.c | 2 --
test/runtest | 3 +++
4 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/src/src/globals.c b/src/src/globals.c
index 1e12bcb..c3e8a16 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -147,11 +147,7 @@ uschar *tls_require_ciphers = NULL;
uschar *tls_resumption_hosts = NULL;
# endif
uschar *tls_try_verify_hosts = NULL;
-#if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS)
uschar *tls_verify_certificates= US"system";
-#else
-uschar *tls_verify_certificates= NULL;
-#endif
uschar *tls_verify_hosts = NULL;
int tls_watch_fd = -1;
time_t tls_watch_trigger_time = (time_t)0;
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index b9f8d2a..7d434f6 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1526,9 +1526,14 @@ else if ( !tls_certificate && !tls_privatekey
else
DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
-/* If tls_verify_certificates is non-empty and has no $, load CAs */
+/* If tls_verify_certificates is non-empty and has no $, load CAs.
+If none was configured and we can't handle "system", treat as empty. */
-if (opt_set_and_noexpand(tls_verify_certificates))
+if ( opt_set_and_noexpand(tls_verify_certificates)
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+ && Ustrcmp(tls_verify_certificates, "system") != 0
+#endif
+ )
{
if (tls_set_watch(tls_verify_certificates, FALSE))
{
@@ -1632,7 +1637,14 @@ else
DEBUG(D_tls)
debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name);
-if (opt_set_and_noexpand(ob->tls_verify_certificates))
+/* If tls_verify_certificates is non-empty and has no $, load CAs.
+If none was configured and we can't handle "system", treat as empty. */
+
+if ( opt_set_and_noexpand(ob->tls_verify_certificates)
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+ && Ustrcmp(ob->tls_verify_certificates, "system") != 0
+#endif
+ )
{
if (!watch || tls_set_watch(ob->tls_verify_certificates, FALSE))
{
@@ -1848,7 +1860,8 @@ else
provided. Experiment shows that, if the certificate file is empty, an unhelpful
error message is provided. However, if we just refrain from setting anything up
in that case, certificate verification fails, which seems to be the correct
-behaviour. */
+behaviour.
+If none was configured and we can't handle "system", treat as empty. */
if (!state->lib_state.cabundle)
{
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index c62de72..a121e34 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -194,9 +194,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
.keepalive = TRUE,
.retry_include_ip_address = TRUE,
#ifndef DISABLE_TLS
-# if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS)
.tls_verify_certificates = US"system",
-# endif
.tls_dh_min_bits = EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
.tls_tempfail_tryclear = TRUE,
.tls_try_verify_hosts = US"*",
diff --git a/test/runtest b/test/runtest
index 6f142c5..9bde904 100755
--- a/test/runtest
+++ b/test/runtest
@@ -1096,6 +1096,9 @@ RESET_AFTER_EXTRA_LINE_READ:
next if /^GnuTLS<2>: added \d+ protocols, \d+ ciphersuites, \d+ sig algos and \d+ groups into priority list$/;
next if /^GnuTLS<2>: (Disabling X.509 extensions|signing structure using RSA-SHA256)/;
next if /^GnuTLS.*(wrap_nettle_mpi_print|gnutls_subject_alt_names_get|get_alt_name)/;
+ next if /^GnuTLS<[23]>: (p11|ASSERT: pkcs11.c|Initializing needed PKCS #11 modules)/;
+ next if /^Added \d{3} certificate authorities/;
+ next if /^TLS: not preloading CRL for server/;
# only kevent platforms (FreeBSD, OpenBSD) say this
next if /^watch dir/;
