Adding it to a redirect router makes no difference.
+
+
Certificate name checking
--------------------------------------------------------------
The X509 certificates used for TLS are supposed be verified
support to date has not made these checks.
If built with EXPERIMENTAL_CERTNAMES defined, code is
- included to do so, and a new smtp transport option
- "tls_verify_cert_hostname" supported which takes a list of
- names for which the checks must be made. The host must
- also be in "tls_verify_hosts".
+ included to do so for server certificates, and a new smtp transport option
-"tls_verify_cert_hostname" supported which takes a list of
-names for which the checks must be made. The host must
-also be in "tls_verify_hosts".
++"tls_verify_cert_hostnames" supported which takes a list of
++names for which the additional checks must be made.
++The option currently defaults to empty, but this may change in
++the future. "*" is probably a suitable value.
++Whether certificate verification is done at all, and the result of
++it failing, is stll under the control of "tls_verify_hosts" nad
++"tls_try_verify_hosts".
Both Subject and Subject-Alternate-Name certificate fields
are supported, as are wildcard certificates (limited to
a single wildcard being the initial component of a 3-or-more
component FQDN).
+ The equivalent check on the server for client certificates is not
+ implemented. At least one major email provider is using a client
+ certificate which fails this check. They do not retry either without
+ hte client certificate or in clear.
+
+ It is possible to duplicate the effect of this checking by
+ creative use of Events.
+
+
+
DANE
------------------------------------------------------------
There is a new variable $tls_out_dane which will have "yes" if
verification succeeded using DANE and "no" otherwise (only useful
- in combination with EXPERIMENTAL_TPDA), and a new variable
+ in combination with EXPERIMENTAL_EVENT), and a new variable
$tls_out_tlsa_usage (detailed above).
{
X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
int depth = X509_STORE_CTX_get_error_depth(x509ctx);
-uschar * ev;
static uschar txt[256];
+#ifdef EXPERIMENTAL_EVENT
+uschar * ev;
+uschar * yield;
+#endif
X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
depth,
X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
txt);
- tlsp->certificate_verified = FALSE;
*calledp = TRUE;
if (!*optionalp)
{
if (ev)
{
tlsp->peercert = X509_dup(cert);
- if (event_raise(ev, US"tls:cert", string_sprintf("%d", depth)) == DEFER)
+ if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth))))
{
log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
- "depth=%d cert=%s", depth, txt);
- tlsp->certificate_verified = FALSE;
+ "depth=%d cert=%s: %s", depth, txt, yield);
*calledp = TRUE;
- return 0; /* reject */
+ if (!*optionalp)
+ return 0; /* reject */
+ DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
+ "(host in tls_try_verify_hosts)\n");
}
X509_free(tlsp->peercert);
tlsp->peercert = NULL;
# if EXIM_HAVE_OPENSSL_CHECKHOST
# ifndef X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
# define X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS 0
+ # endif
+ # ifndef X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS
+ # define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0
# endif
{
int sep = 0;
int rc;
while ((name = string_nextinlist(&list, &sep, NULL, 0)))
if ((rc = X509_check_host(cert, name, 0,
- X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS)))
+ X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
+ | X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS)))
{
if (rc < 0)
{
{
log_write(0, LOG_MAIN,
"SSL verify error: certificate name mismatch: \"%s\"\n", txt);
- return 0; /* reject */
+ *calledp = TRUE;
+ if (!*optionalp)
+ return 0; /* reject */
+ DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
+ "tls_try_verify_hosts)\n");
}
}
# else
{
log_write(0, LOG_MAIN,
"SSL verify error: certificate name mismatch: \"%s\"\n", txt);
- return 0; /* reject */
+ *calledp = TRUE;
+ if (!*optionalp)
+ return 0; /* reject */
+ DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
+ "tls_try_verify_hosts)\n");
}
# endif
#endif /*EXPERIMENTAL_CERTNAMES*/
#ifdef EXPERIMENTAL_EVENT
ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
if (ev)
- if (event_raise(ev, US"tls:cert", US"0") == DEFER)
+ if ((yield = event_raise(ev, US"tls:cert", US"0")))
{
log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
- "depth=0 cert=%s", txt);
- tlsp->certificate_verified = FALSE;
+ "depth=0 cert=%s: %s", txt, yield);
*calledp = TRUE;
- return 0; /* reject */
+ if (!*optionalp)
+ return 0; /* reject */
+ DEBUG(D_tls) debug_printf("Event-action verify failure overridden "
+ "(host in tls_try_verify_hosts)\n");
}
#endif
static uschar txt[256];
#ifdef EXPERIMENTAL_EVENT
int depth = X509_STORE_CTX_get_error_depth(x509ctx);
+uschar * yield;
#endif
X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
#ifdef EXPERIMENTAL_EVENT
if (client_static_cbinfo->event_action)
{
- if (event_raise(client_static_cbinfo->event_action,
- US"tls:cert", string_sprintf("%d", depth)) == DEFER)
+ if ((yield = event_raise(client_static_cbinfo->event_action,
+ US"tls:cert", string_sprintf("%d", depth))))
{
log_write(0, LOG_MAIN, "DANE verify denied by event-action: "
- "depth=%d cert=%s", depth, txt);
+ "depth=%d cert=%s: %s", depth, txt, yield);
tls_out.certificate_verified = FALSE;
return 0; /* reject */
}