uschar * name;
int rc;
while ((name = string_nextinlist(&list, &sep, NULL, 0)))
- if ((rc = X509_check_host(cert, name, 0,
+ if ((rc = X509_check_host(cert, CCS name, 0,
X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS
| X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS,
NULL)))
int err = X509_STORE_CTX_get_error(x509ctx);
DEBUG(D_tls)
debug_printf(" - err %d '%s'\n", err, X509_verify_cert_error_string(err));
- if (err = X509_V_ERR_APPLICATION_VERIFICATION)
+ if (err == X509_V_ERR_APPLICATION_VERIFICATION)
preverify_ok = 1;
}
return preverify_ok;
of the expansion is an empty string, ignore it also, and assume the private
key is in the same file as the certificate. */
-if (expanded != NULL && *expanded != 0)
+if (expanded && *expanded)
{
DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
if (!SSL_CTX_use_PrivateKey_file(sctx, CS expanded, SSL_FILETYPE_PEM))
}
#ifndef DISABLE_OCSP
-if (cbinfo->is_server && cbinfo->u_ocsp.server.file != NULL)
+if (cbinfo->is_server && cbinfo->u_ocsp.server.file)
{
if (!expand_check(cbinfo->u_ocsp.server.file, US"tls_ocsp_file", &expanded))
return DEFER;
- if (expanded != NULL && *expanded != 0)
+ if (expanded && *expanded)
{
DEBUG(D_tls) debug_printf("tls_ocsp_file %s\n", expanded);
- if (cbinfo->u_ocsp.server.file_expanded &&
- (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
+ if ( cbinfo->u_ocsp.server.file_expanded
+ && (Ustrcmp(expanded, cbinfo->u_ocsp.server.file_expanded) == 0))
{
- DEBUG(D_tls)
- debug_printf("tls_ocsp_file value unchanged, using existing values.\n");
- } else {
- ocsp_load_response(sctx, cbinfo, expanded);
+ DEBUG(D_tls) debug_printf(" - value unchanged, using existing values\n");
+ }
+ else
+ {
+ ocsp_load_response(sctx, cbinfo, expanded);
}
}
}
if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
return DEFER;
-if (expcerts != NULL && *expcerts != '\0')
+if (expcerts && *expcerts)
{
- if (Ustrcmp(expcerts, "system") == 0)
- {
- /* Tell the library to use its compiled-in location for the system default
- CA bundle, only */
+ /* Tell the library to use its compiled-in location for the system default
+ CA bundle. Then add the ones specified in the config, if any. */
- if (!SSL_CTX_set_default_verify_paths(sctx))
- return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
- }
- else
+ if (!SSL_CTX_set_default_verify_paths(sctx))
+ return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
+
+ if (Ustrcmp(expcerts, "system") != 0)
{
struct stat statbuf;
- /* Tell the library to use its compiled-in location for the system default
- CA bundle. Those given by the exim config are additional to these */
-
- if (!SSL_CTX_set_default_verify_paths(sctx))
- return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
-
if (Ustat(expcerts, &statbuf) < 0)
{
log_write(0, LOG_MAIN|LOG_PANIC,
If a list isn't loaded into the server, but
some verify locations are set, the server end appears to make
a wildcard reqest for client certs.
- Meanwhile, the client library as deafult behaviour *ignores* the list
+ Meanwhile, the client library as default behaviour *ignores* the list
we send over the wire - see man SSL_CTX_set_client_cert_cb.
Because of this, and that the dir variant is likely only used for
the public-CA bundle (not for a private CA), not worth fixing.
/* Handle a certificate revocation list. */
- #if OPENSSL_VERSION_NUMBER > 0x00907000L
+#if OPENSSL_VERSION_NUMBER > 0x00907000L
/* This bit of code is now the version supplied by Lars Mainka. (I have
- * merely reformatted it into the Exim code style.)
+ merely reformatted it into the Exim code style.)
- * "From here I changed the code to add support for multiple crl's
- * in pem format in one file or to support hashed directory entries in
- * pem format instead of a file. This method now uses the library function
- * X509_STORE_load_locations to add the CRL location to the SSL context.
- * OpenSSL will then handle the verify against CA certs and CRLs by
- * itself in the verify callback." */
+ "From here I changed the code to add support for multiple crl's
+ in pem format in one file or to support hashed directory entries in
+ pem format instead of a file. This method now uses the library function
+ X509_STORE_load_locations to add the CRL location to the SSL context.
+ OpenSSL will then handle the verify against CA certs and CRLs by
+ itself in the verify callback." */
if (!expand_check(crl, US"tls_crl", &expcrl)) return DEFER;
- if (expcrl != NULL && *expcrl != 0)
+ if (expcrl && *expcrl)
{
struct stat statbufcrl;
if (Ustat(expcrl, &statbufcrl) < 0)
}
}
- #endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
+#endif /* OPENSSL_VERSION_NUMBER > 0x00907000L */
/* If verification is optional, don't fail if no certificate */
#ifdef SSL_OP_NO_SSLv2
result |= SSL_OP_NO_SSLv2;
#endif
+#ifdef SSL_OP_SINGLE_DH_USE
+result |= SSL_OP_SINGLE_DH_USE;
+#endif
if (option_spec == NULL)
{