[exim-cvs] TLS: fix tls_verify_certificates handling of "sys…

Góra strony
Delete this message
Reply to this message
Autor: Exim Git Commits Mailing List
Data:  
Dla: exim-cvs
Temat: [exim-cvs] TLS: fix tls_verify_certificates handling of "system"
Gitweb: https://git.exim.org/exim.git/commitdiff/dbbc1c20b59dc10368e31a7c81f110eb40b36494
Commit:     dbbc1c20b59dc10368e31a7c81f110eb40b36494
Parent:     1c18b2f733ed64d4dfa4b4cf391ba73bb86cf030
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Jul 22 22:01:10 2021 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Jul 22 22:01:10 2021 +0100


    TLS: fix tls_verify_certificates handling of "system"


    A previous try at managing it for new-enough versions of GnuTLS actually
    broke it for everything: 744170d4d3
---
 src/src/globals.c         |  4 ----
 src/src/tls-gnu.c         | 21 +++++++++++++++++----
 src/src/transports/smtp.c |  2 --
 test/runtest              |  3 +++
 4 files changed, 20 insertions(+), 10 deletions(-)


diff --git a/src/src/globals.c b/src/src/globals.c
index 1e12bcb..c3e8a16 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -147,11 +147,7 @@ uschar *tls_require_ciphers    = NULL;
 uschar *tls_resumption_hosts   = NULL;
 # endif
 uschar *tls_try_verify_hosts   = NULL;
-#if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS)
 uschar *tls_verify_certificates= US"system";
-#else
-uschar *tls_verify_certificates= NULL;
-#endif
 uschar *tls_verify_hosts       = NULL;
 int     tls_watch_fd           = -1;
 time_t  tls_watch_trigger_time = (time_t)0;
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index b9f8d2a..7d434f6 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1526,9 +1526,14 @@ else if (  !tls_certificate && !tls_privatekey
 else
   DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");


-/* If tls_verify_certificates is non-empty and has no $, load CAs */
+/* If tls_verify_certificates is non-empty and has no $, load CAs.
+If none was configured and we can't handle "system", treat as empty. */

-if (opt_set_and_noexpand(tls_verify_certificates))
+if (  opt_set_and_noexpand(tls_verify_certificates)
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+   && Ustrcmp(tls_verify_certificates, "system") != 0
+#endif
+   )
   {
   if (tls_set_watch(tls_verify_certificates, FALSE))
     {
@@ -1632,7 +1637,14 @@ else
   DEBUG(D_tls)
     debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name);


-if (opt_set_and_noexpand(ob->tls_verify_certificates))
+/* If tls_verify_certificates is non-empty and has no $, load CAs.
+If none was configured and we can't handle "system", treat as empty. */
+
+if (  opt_set_and_noexpand(ob->tls_verify_certificates)
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+   && Ustrcmp(ob->tls_verify_certificates, "system") != 0
+#endif
+   )
   {
   if (!watch || tls_set_watch(ob->tls_verify_certificates, FALSE))
     {
@@ -1848,7 +1860,8 @@ else
 provided. Experiment shows that, if the certificate file is empty, an unhelpful
 error message is provided. However, if we just refrain from setting anything up
 in that case, certificate verification fails, which seems to be the correct
-behaviour. */
+behaviour.
+If none was configured and we can't handle "system", treat as empty. */


 if (!state->lib_state.cabundle)
   {
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index c62de72..a121e34 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -194,9 +194,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   .keepalive =            TRUE,
   .retry_include_ip_address =    TRUE,
 #ifndef DISABLE_TLS
-# if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS)
   .tls_verify_certificates =    US"system",
-# endif
   .tls_dh_min_bits =        EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
   .tls_tempfail_tryclear =    TRUE,
   .tls_try_verify_hosts =    US"*",
diff --git a/test/runtest b/test/runtest
index 6f142c5..9bde904 100755
--- a/test/runtest
+++ b/test/runtest
@@ -1096,6 +1096,9 @@ RESET_AFTER_EXTRA_LINE_READ:
     next if /^GnuTLS<2>: added \d+ protocols, \d+ ciphersuites, \d+ sig algos and \d+ groups into priority list$/;
     next if /^GnuTLS<2>: (Disabling X.509 extensions|signing structure using RSA-SHA256)/;
     next if /^GnuTLS.*(wrap_nettle_mpi_print|gnutls_subject_alt_names_get|get_alt_name)/;
+    next if /^GnuTLS<[23]>: (p11|ASSERT: pkcs11.c|Initializing needed PKCS #11 modules)/;
+    next if /^Added \d{3} certificate authorities/;
+    next if /^TLS: not preloading CRL for server/;


     # only kevent platforms (FreeBSD, OpenBSD) say this
     next if /^watch dir/;