From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 30 Oct 2014 20:48:02 +0000 (+0000)
Subject: Fix cert-try-verify when denied by event action
X-Git-Tag: exim-4_85_RC1~15
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/c1cc0506c3069a9d93d71321f9578150662ede91

Fix cert-try-verify when denied by event action
---

c1cc0506c3069a9d93d71321f9578150662ede91
diff --cc src/src/tls-openssl.c
index c489ea51d,a2e1136d0..fe1b208ac
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@@ -338,13 -334,15 +337,15 @@@ else if (depth != 0
    if (ev)
      {
      tlsp->peercert = X509_dup(cert);
 -    if (event_raise(ev, US"tls:cert", string_sprintf("%d", depth)) == DEFER)
 +    if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
        {
        log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
 -			      "depth=%d cert=%s", depth, txt);
 +			      "depth=%d cert=%s: %s", depth, txt, yield);
-       tlsp->certificate_verified = FALSE;
        *calledp = TRUE;
-       return 0;			    /* reject */
+       if (!*optionalp)
+ 	return 0;			    /* reject */
+       DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
+ 	"(host in tls_try_verify_hosts)\n");
        }
      X509_free(tlsp->peercert);
      tlsp->peercert = NULL;
@@@ -405,13 -411,15 +414,15 @@@ els
  #ifdef EXPERIMENTAL_EVENT
    ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
    if (ev)
 -    if (event_raise(ev, US"tls:cert", US"0") == DEFER)
 +    if ((yield = event_raise(ev, US"tls:cert", US"0")))
        {
        log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
 -			      "depth=0 cert=%s", txt);
 +			      "depth=0 cert=%s: %s", txt, yield);
-       tlsp->certificate_verified = FALSE;
        *calledp = TRUE;
-       return 0;			    /* reject */
+       if (!*optionalp)
+ 	return 0;			    /* reject */
+       DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
+ 	"(host in tls_try_verify_hosts)\n");
        }
  #endif