Mercurial > dovecot > core-2.2
changeset 21758:343344fec13a
lib-ssl-iostream: Fix ambiguity with SSL settings
- lib-ssl-iostream as client: Use only allow_invalid_cert. If it's not set, verify the server cert.
- lib-ssl-iostream as server: If verify_client_cert=FALSE, don't ask for the client cert. Otherwise, ask for client cert but still allow it if allow_invalid_cert=TRUE.
author | Aki Tuomi <aki.tuomi@dovecot.fi> |
---|---|
date | Mon, 20 Feb 2017 09:32:15 +0200 |
parents | 9d825e599eb3 |
children | 4dd04639b19b |
files | src/lib-ssl-iostream/iostream-openssl-context.c |
diffstat | 1 files changed, 6 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/lib-ssl-iostream/iostream-openssl-context.c Wed Mar 01 13:12:41 2017 +0200 +++ b/src/lib-ssl-iostream/iostream-openssl-context.c Mon Feb 20 09:32:15 2017 +0200 @@ -499,10 +499,14 @@ struct ssl_iostream_context **ctx_r, const char **error_r) { + struct ssl_iostream_settings set_copy = *set; struct ssl_iostream_context *ctx; SSL_CTX *ssl_ctx; - if (ssl_iostream_init_global(set, error_r) < 0) + /* ensure this is set to TRUE */ + set_copy.verify_remote_cert = TRUE; + + if (ssl_iostream_init_global(&set_copy, error_r) < 0) return -1; if ((ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { *error_r = t_strdup_printf("SSL_CTX_new() failed: %s", @@ -514,7 +518,7 @@ ctx = i_new(struct ssl_iostream_context, 1); ctx->ssl_ctx = ssl_ctx; ctx->client_ctx = TRUE; - if (ssl_iostream_context_init_common(ctx, set, error_r) < 0) { + if (ssl_iostream_context_init_common(ctx, &set_copy, error_r) < 0) { ssl_iostream_context_deinit(&ctx); return -1; }