From: Jeremy Harris Date: Sun, 4 Oct 2020 22:08:45 +0000 (+0100) Subject: GnuTLS: when library too old for system CA bundle support, do not default options... X-Git-Url: https://git.exim.org/users/heiko/exim.git/commitdiff_plain/744170d4d3602fb5e1ade465d8da86b479b92f33 GnuTLS: when library too old for system CA bundle support, do not default options to using it --- diff --git a/src/src/globals.c b/src/src/globals.c index d029f7540..b7e117868 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -141,7 +141,11 @@ uschar *tls_require_ciphers = NULL; uschar *tls_resumption_hosts = NULL; # endif uschar *tls_try_verify_hosts = NULL; +#if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS) uschar *tls_verify_certificates= US"system"; +#else +uschar *tls_verify_certificates= NULL; +#endif uschar *tls_verify_hosts = NULL; int tls_watch_fd = -1; time_t tls_watch_trigger_time = (time_t)0; diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 0a3d8f1e9..a31982223 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -192,7 +192,9 @@ smtp_transport_options_block smtp_transport_option_defaults = { .keepalive = TRUE, .retry_include_ip_address = TRUE, #ifndef DISABLE_TLS +# if defined(SUPPORT_SYSDEFAULT_CABUNDLE) || !defined(USE_GNUTLS) .tls_verify_certificates = US"system", +# endif .tls_dh_min_bits = EXIM_CLIENT_DH_DEFAULT_MIN_BITS, .tls_tempfail_tryclear = TRUE, .tls_try_verify_hosts = US"*", diff --git a/test/runtest b/test/runtest index 7e9b5d74c..59184786b 100755 --- a/test/runtest +++ b/test/runtest @@ -1075,7 +1075,8 @@ RESET_AFTER_EXTRA_LINE_READ: next if /^TLS: preloading DH params for server/; next if /^Diffie-Hellman initialized from default/; next if /^TLS: preloading ECDH curve for server/; - next if /^ECDH OpenSSL [\d.+]+ temp key parameter settings:/; + next if /^ECDH OpenSSL [< ]?[\d.+]+ temp key parameter settings:/; + next if /^ECDH: .'*prime256v1'/; next if /^watch dir/; # TLS preload