GnuTLS: fix the advertising of acceptable certs by the server. Bug 2389

(cherry picked from commit 12d95aa62042377fc9f603245a17a43142972447)
(cherry picked from commit 44893ba5249c6c6d5a0d62a1cc57ba3fbf7185b4)
(cherry picked from commit 7eb6988c118847820de130c9317f851983e0ba8b)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a026e720b8ec156cc02ac3db338fb735a99de34a..f02b9b6ecad5df68e9635fa4762d6641b3b14f96 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -72,6 +72,10 @@ JH/19 Bug 2398: fix listing of a named-queue.  Previously, even with the option
       queue_list_requires_admin set to false, non-admin users were denied the
       facility.
 
+JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
+      directory-of-certs mode.  Previously they were advertised despite the
+      documentation.
+
 
 Exim version 4.92
 -----------------

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 746eabfdeb4f6f9411afef84f8fd6153006f4788..867dbbe3dd8a438bcb1a951011068c39ab30e8d3 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1136,6 +1136,14 @@ else
 #endif
     gnutls_certificate_set_x509_trust_file(state->x509_cred,
       CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+
+#ifdef SUPPORT_CA_DIR
+  /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
+  when using the directory-of-certs config model. */
+
+  if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+    gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
+#endif
   }
 
 if (cert_count < 0)