From 31a4354e12b3bfc2d724f3b521aaa529710f5865 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 23 Nov 2014 16:58:06 +0000 Subject: [PATCH 1/1] Make "system" location for certificate CA bundle the default --- doc/doc-docbook/spec.xfpt | 12 +++++++----- doc/doc-txt/ChangeLog | 2 +- src/src/globals.c | 2 +- src/src/tls-gnu.c | 6 +++++- src/src/transports/smtp.c | 2 +- 5 files changed, 15 insertions(+), 9 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 89fb5841e..843379b6d 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -16494,7 +16494,7 @@ preference order of the available ciphers. Details are given in sections See &%tls_verify_hosts%& below. -.option tls_verify_certificates main string&!! unset +.option tls_verify_certificates main string&!! system .cindex "TLS" "client certificate verification" .cindex "certificate" "verification of client" The value of this option is expanded, and must then be either the @@ -16505,7 +16505,8 @@ match &%tls_verify_hosts%& or &%tls_try_verify_hosts%&. The "system" value for the option will use a system default location compiled into the SSL library. -This is not available for GnuTLS versions preceding 3.0.20 and an explicit location +This is not available for GnuTLS versions preceding 3.0.20, +and will be taken as empty; an explicit location must be specified. The use of a directory for the option value is not avilable for GnuTLS versions @@ -23471,7 +23472,7 @@ limited to being the initial component of a 3-or-more component FQDN. There is no equivalent checking on client certificates. -.option tls_verify_certificates smtp string&!! unset +.option tls_verify_certificates smtp string&!! system .cindex "TLS" "server certificate verification" .cindex "certificate" "verification of server" .vindex "&$host$&" @@ -23483,7 +23484,8 @@ a file or directory containing permitted certificates for servers, for use when setting up an encrypted connection. The "system" value for the option will use a location compiled into the SSL library. -This is not available for GnuTLS versions preceding 3.0.20 and an explicit location +This is not available for GnuTLS versions preceding 3.0.20; a value of "system" +is taken as empty and an explicit location must be specified. The use of a directory for the option value is not avilable for GnuTLS versions @@ -26492,7 +26494,7 @@ if it requests it. If the server is Exim, it will request a certificate only if &%tls_verify_hosts%& or &%tls_try_verify_hosts%& matches the client. If the &%tls_verify_certificates%& option is set on the &(smtp)& transport, it -specified a collection of expected server certificates. +specifies a collection of expected server certificates. These may be the system default set (depeding on library version), a file or, depnding on liibrary version, a directory, diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 0e9b7ddca..f0acc09d0 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -18,7 +18,7 @@ JH/04 Certificate name checking on server certificates, when exim is a client, EXPERIMENTAL_CERTNAMES is withdrawn. JH/05 The value of the tls_verify_certificates smtp transport and main options - can now be the word "system" to access the system default CA bundle. + default to the word "system" to access the system default CA bundle. For GnuTLS, only version 3.0.20 or later. diff --git a/src/src/globals.c b/src/src/globals.c index a7beec602..1b09008a1 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -166,7 +166,7 @@ uschar *tls_privatekey = NULL; BOOL tls_remember_esmtp = FALSE; uschar *tls_require_ciphers = NULL; uschar *tls_try_verify_hosts = NULL; -uschar *tls_verify_certificates= NULL; +uschar *tls_verify_certificates= US"system"; uschar *tls_verify_hosts = NULL; #endif diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 4943f48b7..42d04224a 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -853,7 +853,11 @@ error message is provided. However, if we just refrain from setting anything up in that case, certificate verification fails, which seems to be the correct behaviour. */ -if (state->tls_verify_certificates && *state->tls_verify_certificates) +if ( state->tls_verify_certificates && *state->tls_verify_certificates +#ifndef SUPPORT_SYSDEFAULT_CABUNDLE + && Ustrcmp(state->exp_tls_verify_certificates, "system") != 0 +#endif + ) { if (!expand_check_tlsvar(tls_verify_certificates)) return DEFER; diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index fe0e733f8..7bc0fa086 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -255,7 +255,7 @@ smtp_transport_options_block smtp_transport_option_defaults = { NULL, /* gnutls_require_mac */ NULL, /* gnutls_require_proto */ NULL, /* tls_sni */ - NULL, /* tls_verify_certificates */ + US"system", /* tls_verify_certificates */ EXIM_CLIENT_DH_DEFAULT_MIN_BITS, /* tls_dh_min_bits */ TRUE, /* tls_tempfail_tryclear */ -- 2.30.2