TLS: fix tls_verify_certificates handling of "system"

A previous try at managing it for new-enough versions of GnuTLS actually
broke it for everything: 744170d4d3

diff --git a/src/src/globals.c b/src/src/globals.c
index 1e12bcb92f709681696e1b8ef15bec7428c583ff..c3e8a16cf3d38d24b2808f17c6faabf22d1a1022 100644 (file)
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -147,11 +147,7 @@ uschar *tls_require_ciphers    = NULL;
 uschar *tls_resumption_hosts   = NULL;
 # endif
 uschar *tls_try_verify_hosts   = NULL;
-#if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS)
 uschar *tls_verify_certificates= US"system";
-#else
-uschar *tls_verify_certificates= NULL;
-#endif
 uschar *tls_verify_hosts       = NULL;
 int     tls_watch_fd          = -1;
 time_t  tls_watch_trigger_time = (time_t)0;

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index b9f8d2a51773afbd4aabbe401be1070dedf9395b..7d434f6afe06db7758c35b7045373e5b4f14f87d 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1526,9 +1526,14 @@ else if (  !tls_certificate && !tls_privatekey
 else
   DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
 
-/* If tls_verify_certificates is non-empty and has no $, load CAs */
+/* If tls_verify_certificates is non-empty and has no $, load CAs.
+If none was configured and we can't handle "system", treat as empty. */
 
-if (opt_set_and_noexpand(tls_verify_certificates))
+if (  opt_set_and_noexpand(tls_verify_certificates)
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+   && Ustrcmp(tls_verify_certificates, "system") != 0
+#endif
+   )
   {
   if (tls_set_watch(tls_verify_certificates, FALSE))
     {
@@ -1632,7 +1637,14 @@ else
   DEBUG(D_tls)
     debug_printf("TLS: not preloading client certs, for transport '%s'\n", t->name);
 
-if (opt_set_and_noexpand(ob->tls_verify_certificates))
+/* If tls_verify_certificates is non-empty and has no $, load CAs.
+If none was configured and we can't handle "system", treat as empty. */
+
+if (  opt_set_and_noexpand(ob->tls_verify_certificates)
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+   && Ustrcmp(ob->tls_verify_certificates, "system") != 0
+#endif
+   )
   {
   if (!watch || tls_set_watch(ob->tls_verify_certificates, FALSE))
     {
@@ -1848,7 +1860,8 @@ else
 provided. Experiment shows that, if the certificate file is empty, an unhelpful
 error message is provided. However, if we just refrain from setting anything up
 in that case, certificate verification fails, which seems to be the correct
-behaviour. */
+behaviour.
+If none was configured and we can't handle "system", treat as empty. */
 
 if (!state->lib_state.cabundle)
   {

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index c62de724d8efa0a1bd7f759578468ea881a5002e..a121e34aee46b23b7b02eb832446c30db2780309 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -194,9 +194,7 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   .keepalive =                 TRUE,
   .retry_include_ip_address =  TRUE,
 #ifndef DISABLE_TLS
-# if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS)
   .tls_verify_certificates =   US"system",
-# endif
   .tls_dh_min_bits =           EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
   .tls_tempfail_tryclear =     TRUE,
   .tls_try_verify_hosts =      US"*",

diff --git a/test/runtest b/test/runtest
index 6f142c5406d78421516fa1e599a6614ea8e7978f..9bde9046fc8fb11d681e9314512e4fc387f74549 100755 (executable)
--- a/test/runtest
+++ b/test/runtest
@@ -1096,6 +1096,9 @@ RESET_AFTER_EXTRA_LINE_READ:
     next if /^GnuTLS<2>: added \d+ protocols, \d+ ciphersuites, \d+ sig algos and \d+ groups into priority list$/;
     next if /^GnuTLS<2>: (Disabling X.509 extensions|signing structure using RSA-SHA256)/;
     next if /^GnuTLS.*(wrap_nettle_mpi_print|gnutls_subject_alt_names_get|get_alt_name)/;
+    next if /^GnuTLS<[23]>: (p11|ASSERT: pkcs11.c|Initializing needed PKCS #11 modules)/;
+    next if /^Added \d{3} certificate authorities/;
+    next if /^TLS: not preloading CRL for server/;
 
     # only kevent platforms (FreeBSD, OpenBSD) say this
     next if /^watch dir/;