X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/bc338899110ea22098559081f77cbd0f7a8044bd..5a66c31b0ec1f4128df4398e18dfe497c2a34de7:/src/src/tls-gnu.c diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index e089e350e..7c3625216 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Copyright (c) Phil Pennock 2012 */ @@ -1563,6 +1563,8 @@ Arguments: require_ciphers list of allowed ciphers or NULL dh_min_bits minimum number of bits acceptable in server's DH prime timeout startup timeout + verify_hosts mandatory client verification + try_verify_hosts optional client verification Returns: OK/DEFER/FAIL (because using common functions), but for a client, DEFER and FAIL have the same meaning @@ -1577,7 +1579,8 @@ tls_client_start(int fd, host_item *host, #ifdef EXPERIMENTAL_OCSP uschar *require_ocsp ARG_UNUSED, #endif - int dh_min_bits, int timeout) + int dh_min_bits, int timeout, + uschar *verify_hosts, uschar *try_verify_hosts) { int rc; const char *error; @@ -1601,18 +1604,27 @@ DEBUG(D_tls) debug_printf("Setting D-H prime minimum acceptable bits to %d\n", dh_min_bits); gnutls_dh_set_prime_bits(state->session, dh_min_bits); -if (verify_certs == NULL) +/* stick to the old behaviour for compatibility if tls_verify_certificates is + set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only + the specified host patterns if one of them is defined */ +if (((state->exp_tls_verify_certificates != NULL) && (verify_hosts == NULL) && (try_verify_hosts == NULL)) || + (verify_check_host(&verify_hosts) == OK)) { - DEBUG(D_tls) debug_printf("TLS: server certificate verification not required\n"); - state->verify_requirement = VERIFY_NONE; - /* we still ask for it, to log it, etc */ + DEBUG(D_tls) debug_printf("TLS: server certificate verification required.\n"); + state->verify_requirement = VERIFY_REQUIRED; + gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE); + } +else if (verify_check_host(&try_verify_hosts) == OK) + { + DEBUG(D_tls) debug_printf("TLS: server certificate verification optional.\n"); + state->verify_requirement = VERIFY_OPTIONAL; gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST); } else { - DEBUG(D_tls) debug_printf("TLS: server certificate verification required\n"); - state->verify_requirement = VERIFY_REQUIRED; - gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE); + DEBUG(D_tls) debug_printf("TLS: server certificate verification not required.\n"); + state->verify_requirement = VERIFY_NONE; + gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE); } gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)fd);