GnuTLS: fix the advertising of acceptable certs by the server. Bug 2389
authorJeremy Harris <jgh146exb@wizmail.org>
Sun, 19 May 2019 11:12:36 +0000 (12:12 +0100)
committerJeremy Harris <jgh146exb@wizmail.org>
Sun, 19 May 2019 11:12:36 +0000 (12:12 +0100)
doc/doc-txt/ChangeLog
src/src/tls-gnu.c

index a204b37846f33a1e203536653e58ba56f4303934..98a473539672d6df99d9c62aefb43a9a07349101 100644 (file)
@@ -98,6 +98,10 @@ JH/19 Bug 2398: fix listing of a named-queue.  Previously, even with the option
       queue_list_requires_admin set to false, non-admin users were denied the
       facility.
 
+JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
+      directory-of-certs mode.  Previously they were advertised despite the
+      documentation.
+
 
 Exim version 4.92
 -----------------
index dc8cdab5c34f0c46d969e24dab30e57b5ec92155..423c3a23db4659a2874723e168f48f1c57347eda 100644 (file)
@@ -1143,6 +1143,14 @@ else
 #endif
     gnutls_certificate_set_x509_trust_file(state->x509_cred,
       CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+
+#ifdef SUPPORT_CA_DIR
+  /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
+  when using the directory-of-certs config model. */
+
+  if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+    gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
+#endif
   }
 
 if (cert_count < 0)