Copyright year updates:

[exim.git] / src / src / tls-gnu.c

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 4f1169aa415a6ed37efba907a10901894dc8261c..7c3625216ae4d0832fa3cf381211aff2acb775f0 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -2,7 +2,7 @@
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) University of Cambridge 1995 - 2013 */
+/* Copyright (c) University of Cambridge 1995 - 2014 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Copyright (c) Phil Pennock 2012 */
@@ -1563,6 +1563,8 @@ Arguments:
   require_ciphers   list of allowed ciphers or NULL
   dh_min_bits       minimum number of bits acceptable in server's DH prime
   timeout           startup timeout
+  verify_hosts     mandatory client verification 
+  try_verify_hosts optional client verification
 
 Returns:            OK/DEFER/FAIL (because using common functions),
                     but for a client, DEFER and FAIL have the same meaning
@@ -1577,7 +1579,8 @@ tls_client_start(int fd, host_item *host,
 #ifdef EXPERIMENTAL_OCSP
     uschar *require_ocsp ARG_UNUSED,
 #endif
-    int dh_min_bits, int timeout)
+    int dh_min_bits, int timeout,
+    uschar *verify_hosts, uschar *try_verify_hosts)
 {
 int rc;
 const char *error;
@@ -1601,18 +1604,27 @@ DEBUG(D_tls) debug_printf("Setting D-H prime minimum acceptable bits to %d\n",
     dh_min_bits);
 gnutls_dh_set_prime_bits(state->session, dh_min_bits);
 
-if (state->exp_tls_verify_certificates == NULL)
+/* stick to the old behaviour for compatibility if tls_verify_certificates is 
+   set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only 
+   the specified host patterns if one of them is defined */
+if (((state->exp_tls_verify_certificates != NULL) && (verify_hosts == NULL) && (try_verify_hosts == NULL)) ||
+    (verify_check_host(&verify_hosts) == OK))
   {
-  DEBUG(D_tls) debug_printf("TLS: server certificate verification not required\n");
-  state->verify_requirement = VERIFY_NONE;
-  /* we still ask for it, to log it, etc */
+  DEBUG(D_tls) debug_printf("TLS: server certificate verification required.\n");
+  state->verify_requirement = VERIFY_REQUIRED;
+  gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
+  }
+else if (verify_check_host(&try_verify_hosts) == OK)
+  {
+  DEBUG(D_tls) debug_printf("TLS: server certificate verification optional.\n");
+  state->verify_requirement = VERIFY_OPTIONAL;
   gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST);
   }
 else
   {
-  DEBUG(D_tls) debug_printf("TLS: server certificate verification required\n");
-  state->verify_requirement = VERIFY_REQUIRED;
-  gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
+  DEBUG(D_tls) debug_printf("TLS: server certificate verification not required.\n");
+  state->verify_requirement = VERIFY_NONE;
+  gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
   }
 
 gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)fd);