git://git.exim.org
/
users
/
jgh
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
c06ddd6
)
OpenSSL: avoid loading server's CA-list-for-client-notification on client
author
Jeremy Harris
<jgh146exb@wizmail.org>
Fri, 27 Mar 2020 21:07:50 +0000
(21:07 +0000)
committer
Jeremy Harris
<jgh146exb@wizmail.org>
Fri, 27 Mar 2020 21:07:50 +0000
(21:07 +0000)
src/src/tls-openssl.c
patch
|
blob
|
history
diff --git
a/src/src/tls-openssl.c
b/src/src/tls-openssl.c
index 99d3f87f4795803adee75965bd7ab42016f18589..af5d952f74f3d3e83e74e23dd8eaa6b2cd6e4ded 100644
(file)
--- a/
src/src/tls-openssl.c
+++ b/
src/src/tls-openssl.c
@@
-2498,7
+2498,7
@@
This is inconsistent with the need to verify the OCSP proof of the server cert.
#endif
}
#endif
}
- /* If a certificate file is empty, the
next
function fails with an
+ /* If a certificate file is empty, the
load
function fails with an
unhelpful error message. If we skip it, we get the correct behaviour (no
certificates are recognized, but the error message is still misleading (it
says no certificate was supplied). But this is better. */
unhelpful error message. If we skip it, we get the correct behaviour (no
certificates are recognized, but the error message is still misleading (it
says no certificate was supplied). But this is better. */
@@
-2507,9
+2507,9
@@
This is inconsistent with the need to verify the OCSP proof of the server cert.
&& !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
&& !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
return tls_error(US"SSL_CTX_load_verify_locations", host, NULL, errstr);
- /*
Load the list of CAs for which we will accept certs, for sending
- to the client. This is only for the one-file tls_verify_certificates
- variant.
+ /*
On the server load the list of CAs for which we will accept certs, for
+ sending to the client. This is only for the one-file
+
tls_verify_certificates
variant.
If a list isn't loaded into the server, but some verify locations are set,
the server end appears to make a wildcard request for client certs.
Meanwhile, the client library as default behaviour *ignores* the list
If a list isn't loaded into the server, but some verify locations are set,
the server end appears to make a wildcard request for client certs.
Meanwhile, the client library as default behaviour *ignores* the list
@@
-2521,7
+2521,7
@@
This is inconsistent with the need to verify the OCSP proof of the server cert.
{
STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
{
STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
- SSL_CTX_set_client_CA_list(sctx, names);
+
if (!host)
SSL_CTX_set_client_CA_list(sctx, names);
DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
sk_X509_NAME_num(names));
}
DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
sk_X509_NAME_num(names));
}