+ if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+ if (state->session)
+ gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
+ else
+ state->lib_state.ca_rdn_emulate = TRUE;
+#endif
+ }
+
+if (cert_count < 0)
+ return tls_error_gnu(state, US"setting certificate trust", cert_count, errstr);
+DEBUG(D_tls)
+ debug_printf("Added %d certificate authorities\n", cert_count);
+
+return OK;
+}
+
+
+static int
+creds_load_crl(exim_gnutls_state_st * state, const uschar * crl, uschar ** errstr)
+{
+int cert_count;
+DEBUG(D_tls) debug_printf("loading CRL file = %s\n", crl);
+if ((cert_count = gnutls_certificate_set_x509_crl_file(state->lib_state.x509_cred,
+ CS crl, GNUTLS_X509_FMT_PEM)) < 0)
+ return tls_error_gnu(state, US"gnutls_certificate_set_x509_crl_file",
+ cert_count, errstr);
+
+DEBUG(D_tls) debug_printf("Processed %d CRLs\n", cert_count);
+return OK;
+}
+
+
+static int
+creds_load_pristring(exim_gnutls_state_st * state, const uschar * p,
+ const char ** errpos)
+{
+if (!p)
+ {
+ p = exim_default_gnutls_priority;
+ DEBUG(D_tls)
+ debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
+ }
+return gnutls_priority_init( (gnutls_priority_t *) &state->lib_state.pri_cache,
+ CCS p, errpos);
+}
+
+static unsigned
+tls_server_creds_init(void)
+{
+uschar * dummy_errstr;
+unsigned lifetime = 0;
+
+state_server.lib_state = null_tls_preload;
+if (gnutls_certificate_allocate_credentials(
+ (gnutls_certificate_credentials_t *) &state_server.lib_state.x509_cred))
+ {
+ state_server.lib_state.x509_cred = NULL;
+ return lifetime;
+ }
+creds_basic_init(state_server.lib_state.x509_cred, TRUE);
+
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+/* If tls_certificate has any $ indicating expansions, it is not good.
+If tls_privatekey is set but has $, not good. Likewise for tls_ocsp_file.
+If all good (and tls_certificate set), load the cert(s). */
+
+if ( opt_set_and_noexpand(tls_certificate)
+# ifndef DISABLE_OCSP
+ && opt_unset_or_noexpand(tls_ocsp_file)
+# endif
+ && opt_unset_or_noexpand(tls_privatekey))
+ {
+ /* Set watches on the filenames. The implementation does de-duplication
+ so we can just blindly do them all.
+ */
+
+ if ( tls_set_watch(tls_certificate, TRUE)
+# ifndef DISABLE_OCSP
+ && tls_set_watch(tls_ocsp_file, TRUE)
+# endif
+ && tls_set_watch(tls_privatekey, TRUE))
+ {
+ DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
+ if (creds_load_server_certs(&state_server, tls_certificate,
+ tls_privatekey && *tls_privatekey ? tls_privatekey : tls_certificate,
+# ifdef DISABLE_OCSP
+ NULL,