GnuTLS: when library too old for system CA bundle support, do not default options...

author Jeremy Harris <jgh146exb@wizmail.org>

Sun, 4 Oct 2020 22:08:45 +0000 (23:08 +0100)

committer Jeremy Harris <jgh146exb@wizmail.org>

Mon, 5 Oct 2020 15:57:12 +0000 (16:57 +0100)
author Jeremy Harris <jgh146exb@wizmail.org>
Sun, 4 Oct 2020 22:08:45 +0000 (23:08 +0100)
committer Jeremy Harris <jgh146exb@wizmail.org>
Mon, 5 Oct 2020 15:57:12 +0000 (16:57 +0100)
diff --git a/src/src/globals.c b/src/src/globals.c

index d029f7540b4923b629f4ab410137d9869d23a333..b7e117868100d8136e37a3e08127fe33d29e050d 100644 (file)
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -141,7 +141,11 @@ uschar *tls_require_ciphers    = NULL;
  uschar *tls_resumption_hosts   = NULL;
  # endif
  uschar *tls_try_verify_hosts   = NULL;
  uschar *tls_resumption_hosts   = NULL;
  # endif
  uschar *tls_try_verify_hosts   = NULL;
+#if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS)
  uschar *tls_verify_certificates= US"system";
  uschar *tls_verify_certificates= US"system";
+#else
+uschar *tls_verify_certificates= NULL;
+#endif
  uschar *tls_verify_hosts       = NULL;
  int     tls_watch_fd          = -1;
  time_t  tls_watch_trigger_time = (time_t)0;
  uschar *tls_verify_hosts       = NULL;
  int     tls_watch_fd          = -1;
  time_t  tls_watch_trigger_time = (time_t)0;
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c

index 0a3d8f1e9721e265d0622dbeaac20baad924ba09..a31982223452e21d68568ae336ac5203a2f73483 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -192,7 +192,9 @@ smtp_transport_options_block smtp_transport_option_defaults = {
    .keepalive =                 TRUE,
    .retry_include_ip_address =  TRUE,
  #ifndef DISABLE_TLS
    .keepalive =                 TRUE,
    .retry_include_ip_address =  TRUE,
  #ifndef DISABLE_TLS
+# if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS)
    .tls_verify_certificates =   US"system",
    .tls_verify_certificates =   US"system",
+# endif
    .tls_dh_min_bits =           EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
    .tls_tempfail_tryclear =     TRUE,
    .tls_try_verify_hosts =      US"*",
    .tls_dh_min_bits =           EXIM_CLIENT_DH_DEFAULT_MIN_BITS,
    .tls_tempfail_tryclear =     TRUE,
    .tls_try_verify_hosts =      US"*",
diff --git a/test/runtest b/test/runtest

index 7e9b5d74c0fe1a3c4413b7ee8299a9ec85396f39..59184786b4a2e49ef0f98e7c039d67a1760a3c33 100755 (executable)
--- a/test/runtest
+++ b/test/runtest
@@ -1075,7 +1075,8 @@ RESET_AFTER_EXTRA_LINE_READ:
      next if /^TLS: preloading DH params for server/;
      next if /^Diffie-Hellman initialized from default/;
      next if /^TLS: preloading ECDH curve for server/;
      next if /^TLS: preloading DH params for server/;
      next if /^Diffie-Hellman initialized from default/;
      next if /^TLS: preloading ECDH curve for server/;
-    next if /^ECDH OpenSSL [\d.+]+ temp key parameter settings:/;
+    next if /^ECDH OpenSSL [< ]?[\d.+]+ temp key parameter settings:/;
+    next if /^ECDH: .'*prime256v1'/;
      next if /^watch dir/;
  
      # TLS preload
      next if /^watch dir/;
  
      # TLS preload
author	Jeremy Harris <jgh146exb@wizmail.org>
	Sun, 4 Oct 2020 22:08:45 +0000 (23:08 +0100)
committer	Jeremy Harris <jgh146exb@wizmail.org>
	Mon, 5 Oct 2020 15:57:12 +0000 (16:57 +0100)
src/src/globals.c		patch \| blob \| history
src/src/transports/smtp.c		patch \| blob \| history
test/runtest		patch \| blob \| history