Mailing List Archive

[Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file
https://bugs.exim.org/show_bug.cgi?id=2389

--- Comment #6 from Jeremy Harris <jgh146exb@wizmail.org> ---
Created attachment 1191
--> https://bugs.exim.org/attachment.cgi?id=1191&action=edit
Alternate fix; mimic the OpenSSL implementation

This is actually far simpler, if less flexible than a new option.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2389

--- Comment #7 from Andreas Metzler <eximusers@bebt.de> ---
(In reply to Jeremy Harris from comment #6)
> Created attachment 1191 [details]
> Alternate fix; mimic the OpenSSL implementation

> This is actually far simpler, if less flexible than a new option.

Thank you. The patch works for me in a quick test.

cu Andreas

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2389] tls_verify_certificates - with GnuTLS the CA list is sent no matter whether tls_verify_certificates points to directory or file [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2389

Git Commit <git@exim.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |git@exim.org

--- Comment #8 from Git Commit <git@exim.org> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/12d95aa62042377fc9f603245a17a43142972447

commit 12d95aa62042377fc9f603245a17a43142972447
Author: Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Sun May 19 12:12:36 2019 +0100
Commit: Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Sun May 19 12:12:36 2019 +0100

GnuTLS: fix the advertising of acceptable certs by the server. Bug 2389
---
doc/doc-txt/ChangeLog | 4 ++++
src/src/tls-gnu.c | 8 ++++++++
2 files changed, 12 insertions(+)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a204b37..98a4735 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -98,6 +98,10 @@ JH/19 Bug 2398: fix listing of a named-queue. Previously,
even with the option
queue_list_requires_admin set to false, non-admin users were denied the
facility.

+JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
+ directory-of-certs mode. Previously they were advertised despite the
+ documentation.
+

Exim version 4.92
-----------------
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index dc8cdab..423c3a2 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1143,6 +1143,14 @@ else
#endif
gnutls_certificate_set_x509_trust_file(state->x509_cred,
CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+
+#ifdef SUPPORT_CA_DIR
+ /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
+ when using the directory-of-certs config model. */
+
+ if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+ gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
+#endif
}

if (cert_count < 0)

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##