[hcoop/debian/exim4.git] / debian / patches / 75_12-GnuTLS-fix-the-advertising-of-acceptable-certs-by-th.patch

From 44893ba5249c6c6d5a0d62a1cc57ba3fbf7185b4 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 19 May 2019 12:12:36 +0100
Subject: [PATCH 1/2] GnuTLS: fix the advertising of acceptable certs by the
 server.  Bug 2389

(cherry picked from commit 12d95aa62042377fc9f603245a17a43142972447)
---
 doc/ChangeLog | 4 ++++
 src/tls-gnu.c     | 8 ++++++++
 2 files changed, 12 insertions(+)

--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -42,6 +42,10 @@ JH/11 Harden plaintext authenticator aga
 JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
       verification result was not updated unless hosts_require_ocsp applied.
 
+JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
+      directory-of-certs mode.  Previously they were advertised despite the
+      documentation.
+
 
 Exim version 4.92
 -----------------
--- a/src/tls-gnu.c
+++ b/src/tls-gnu.c
@@ -1133,6 +1133,14 @@ else
 #endif
     gnutls_certificate_set_x509_trust_file(state->x509_cred,
       CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+
+#ifdef SUPPORT_CA_DIR
+  /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
+  when using the directory-of-certs config model. */
+
+  if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+    gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
+#endif
   }
 
 if (cert_count < 0)
Commit	Line	Data
01e60269 AM	1	From 44893ba5249c6c6d5a0d62a1cc57ba3fbf7185b4 Mon Sep 17 00:00:00 2001
	2	From: Jeremy Harris <jgh146exb@wizmail.org>
	3	Date: Sun, 19 May 2019 12:12:36 +0100
	4	Subject: [PATCH 1/2] GnuTLS: fix the advertising of acceptable certs by the
	5	server. Bug 2389
	6
	7	(cherry picked from commit 12d95aa62042377fc9f603245a17a43142972447)
	8	---
	9	doc/ChangeLog \| 4 ++++
	10	src/tls-gnu.c \| 8 ++++++++
	11	2 files changed, 12 insertions(+)
	12
	13	--- a/doc/ChangeLog
	14	+++ b/doc/ChangeLog
	15	@@ -42,6 +42,10 @@ JH/11 Harden plaintext authenticator aga
	16	JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
	17	verification result was not updated unless hosts_require_ocsp applied.
	18
	19	+JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
	20	+ directory-of-certs mode. Previously they were advertised despite the
	21	+ documentation.
	22	+
	23
	24	Exim version 4.92
	25	-----------------
	26	--- a/src/tls-gnu.c
	27	+++ b/src/tls-gnu.c
	28	@@ -1133,6 +1133,14 @@ else
	29	#endif
	30	gnutls_certificate_set_x509_trust_file(state->x509_cred,
	31	CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
	32	+
	33	+#ifdef SUPPORT_CA_DIR
	34	+ /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
	35	+ when using the directory-of-certs config model. */
	36	+
	37	+ if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
	38	+ gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
	39	+#endif
	40	}
	41
	42	if (cert_count < 0)