* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2014 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
/* See the file NOTICE for conditions of use and distribution. */
/* Copyright (c) Phil Pennock 2012 */
uschar *exp_tls_crl;
uschar *exp_tls_require_ciphers;
uschar *exp_tls_ocsp_file;
- uschar *exp_tls_verify_cert_hostnames;
+ const uschar *exp_tls_verify_cert_hostnames;
#ifdef EXPERIMENTAL_EVENT
uschar *event_action;
#endif
static BOOL exim_gnutls_base_init_done = FALSE;
+static BOOL gnutls_buggy_ocsp = FALSE;
+
/* ------------------------------------------------------------------------ */
/* macros */
&& tls_ocsp_file
)
{
- if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
- &state->exp_tls_ocsp_file))
- return DEFER;
+ if (gnutls_buggy_ocsp)
+ {
+ DEBUG(D_tls) debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
+ }
+ else
+ {
+ if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
+ &state->exp_tls_ocsp_file))
+ return DEFER;
- /* Use the full callback method for stapling just to get observability.
- More efficient would be to read the file once only, if it never changed
- (due to SNI). Would need restart on file update, or watch datestamp. */
+ /* Use the full callback method for stapling just to get observability.
+ More efficient would be to read the file once only, if it never changed
+ (due to SNI). Would need restart on file update, or watch datestamp. */
- gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
- server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
+ gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
+ server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
- DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", &state->exp_tls_ocsp_file);
+ DEBUG(D_tls) debug_printf("OCSP response file = %s\n", state->exp_tls_ocsp_file);
+ }
}
#endif
{
if (!expand_check_tlsvar(tls_verify_certificates))
return DEFER;
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+ if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
+ state->exp_tls_verify_certificates = NULL;
+#endif
if (state->tls_crl && *state->tls_crl)
if (!expand_check_tlsvar(tls_crl))
return DEFER;
* Initialize for GnuTLS *
*************************************************/
+
+static BOOL
+tls_is_buggy_ocsp(void)
+{
+const uschar * s;
+uschar maj, mid, mic;
+
+s = CUS gnutls_check_version(NULL);
+maj = atoi(CCS s);
+if (maj == 3)
+ {
+ while (*s && *s != '.') s++;
+ mid = atoi(CCS ++s);
+ if (mid <= 2)
+ return TRUE;
+ else if (mid >= 5)
+ return FALSE;
+ else
+ {
+ while (*s && *s != '.') s++;
+ mic = atoi(CCS ++s);
+ return mic <= (mid == 3 ? 16 : 3);
+ }
+ }
+return FALSE;
+}
+
+
+
/* Called from both server and client code. In the case of a server, errors
before actual TLS negotiation return DEFER.
}
#endif
+ if ((gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
+ log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
+
exim_gnutls_base_init_done = TRUE;
}
if (state->exp_tls_verify_cert_hostnames)
{
int sep = 0;
- uschar * list = state->exp_tls_verify_cert_hostnames;
+ const uschar * list = state->exp_tls_verify_cert_hostnames;
uschar * name;
while (name = string_nextinlist(&list, &sep, NULL, 0))
if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
{
if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
{
- state->exp_tls_verify_cert_hostnames = host->name;
+ state->exp_tls_verify_cert_hostnames =
+#ifdef EXPERIMENTAL_INTERNATIONAL
+ string_domain_utf8_to_alabel(host->name, NULL);
+#else
+ host->name;
+#endif
DEBUG(D_tls)
debug_printf("TLS: server cert verification includes hostname: \"%s\".\n",
state->exp_tls_verify_cert_hostnames);
if ( ( state->exp_tls_verify_certificates
&& !ob->tls_verify_hosts
- && !ob->tls_try_verify_hosts
+ && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
)
|| verify_check_given_host(&ob->tls_verify_hosts, host) == OK
)