X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/e8793bad207763b266bedcb9d859e238b6a3a04e..5a66c31b0ec1f4128df4398e18dfe497c2a34de7:/src/src/tls-gnu.c diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 280744ec0..7c3625216 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2013 */ +/* Copyright (c) University of Cambridge 1995 - 2014 */ /* See the file NOTICE for conditions of use and distribution. */ /* Copyright (c) Phil Pennock 2012 */ @@ -1604,18 +1604,27 @@ DEBUG(D_tls) debug_printf("Setting D-H prime minimum acceptable bits to %d\n", dh_min_bits); gnutls_dh_set_prime_bits(state->session, dh_min_bits); -if (state->exp_tls_verify_certificates == NULL) +/* stick to the old behaviour for compatibility if tls_verify_certificates is + set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only + the specified host patterns if one of them is defined */ +if (((state->exp_tls_verify_certificates != NULL) && (verify_hosts == NULL) && (try_verify_hosts == NULL)) || + (verify_check_host(&verify_hosts) == OK)) { - DEBUG(D_tls) debug_printf("TLS: server certificate verification not required\n"); - state->verify_requirement = VERIFY_NONE; - /* we still ask for it, to log it, etc */ + DEBUG(D_tls) debug_printf("TLS: server certificate verification required.\n"); + state->verify_requirement = VERIFY_REQUIRED; + gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE); + } +else if (verify_check_host(&try_verify_hosts) == OK) + { + DEBUG(D_tls) debug_printf("TLS: server certificate verification optional.\n"); + state->verify_requirement = VERIFY_OPTIONAL; gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUEST); } else { - DEBUG(D_tls) debug_printf("TLS: server certificate verification required\n"); - state->verify_requirement = VERIFY_REQUIRED; - gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE); + DEBUG(D_tls) debug_printf("TLS: server certificate verification not required.\n"); + state->verify_requirement = VERIFY_NONE; + gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE); } gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)fd);