From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 15 May 2014 23:07:31 +0000 (+0100)
Subject: Tidy certificate verification logic under OpenSSL
X-Git-Tag: exim-4_83_RC1~18
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/93dcb1c245e78806b621bbc955b1a316f806e5a3

Tidy certificate verification logic under OpenSSL
---

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index db2544c03..f6ded3c56 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -284,12 +284,11 @@ if (state == 0)
     }
   DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
     "tls_try_verify_hosts)\n");
-  return 1;                          /* accept */
   }
 
-if (x509ctx->error_depth != 0)
+else if (x509ctx->error_depth != 0)
   {
-  DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
+  DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n",
      x509ctx->error_depth, txt);
 #ifdef EXPERIMENTAL_OCSP
   if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
@@ -305,22 +304,14 @@ if (x509ctx->error_depth != 0)
   }
 else
   {
-  DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
-    *calledp ? "" : " authenticated", txt);
   tlsp->peerdn = txt;
   tlsp->peercert = X509_dup(x509ctx->current_cert);
+  DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
+    *calledp ? "" : " authenticated", txt);
+  if (!*calledp) tlsp->certificate_verified = TRUE;
+  *calledp = TRUE;
   }
 
-/*XXX JGH: this looks bogus - we set "verified" first time through, which
-will be for the root CS cert (calls work down the chain).  Why should it
-not be on the last call, where we're setting peerdn?
-
-To test: set up a chain anchored by a good root-CA but with a bad server cert.
-Does certificate_verified get set?
-*/
-if (!*calledp) tlsp->certificate_verified = TRUE;
-*calledp = TRUE;
-
 return 1;   /* accept */
 }