From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 5 Nov 2014 18:24:00 +0000 (+0000)
Subject: Do not permit multi-component wildcards on certificate names (OpenSSL, EXPERIMENTAL_C... 
X-Git-Tag: exim-4_85_RC1~9
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/09c17790eec23907b93df1ec7cee746b28dfc836

Do not permit multi-component wildcards on certificate names (OpenSSL, EXPERIMENTAL_CERTNAMES)
---

09c17790eec23907b93df1ec7cee746b28dfc836
diff --cc doc/doc-txt/ChangeLog
index 5a298d161,b389a7deb..997a459c8
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@@ -59,9 -59,11 +59,14 @@@ JH/08 Rename the TPDA expermimental fac
        raised for inbound connections, if the main configuration event_action
        option is defined.
  
 +TL/06 In test suite, disable OCSP for old versions of openssl which contained
 +      early OCSP support, but no stapling (appears to be less than 1.0.0).
 +
+ JH/09 When compiled with OpenSSL and EXPERIMENTAL_CERTNAMES, the checks on
+       server certificate names available under the smtp transport option
+       "tls_verify_cert_hostname" now do not permit multi-component wildcard
+       matches.
+ 
  
  Exim version 4.84
  -----------------
diff --cc doc/doc-txt/experimental-spec.txt
index faa64df68,8192f3d76..266e19891
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@@ -1151,10 -1153,10 +1153,14 @@@ that they are owned by the expected hos
  support to date has not made these checks.
  
  If built with EXPERIMENTAL_CERTNAMES defined, code is
- included to do so, and a new smtp transport option
- "tls_verify_cert_hostname" supported which takes a list of
- names for which the checks must be made.  The host must
- also be in "tls_verify_hosts".
+ included to do so for server certificates, and a new smtp transport option
 -"tls_verify_cert_hostname" supported which takes a list of
 -names for which the checks must be made.  The host must
 -also be in "tls_verify_hosts".
++"tls_verify_cert_hostnames" supported which takes a list of
++names for which the additional checks must be made.
++The option currently defaults to empty, but this may change in
++the future.  "*" is probably a suitable value.
++Whether certificate verification is done at all, and the result of
++it failing, is stll under the control of "tls_verify_hosts" nad
++"tls_try_verify_hosts".
  
  Both Subject and Subject-Alternate-Name certificate fields
  are supported, as are wildcard certificates (limited to