| 1 | From 44893ba5249c6c6d5a0d62a1cc57ba3fbf7185b4 Mon Sep 17 00:00:00 2001 |
| 2 | From: Jeremy Harris <jgh146exb@wizmail.org> |
| 3 | Date: Sun, 19 May 2019 12:12:36 +0100 |
| 4 | Subject: [PATCH 1/2] GnuTLS: fix the advertising of acceptable certs by the |
| 5 | server. Bug 2389 |
| 6 | |
| 7 | (cherry picked from commit 12d95aa62042377fc9f603245a17a43142972447) |
| 8 | --- |
| 9 | doc/ChangeLog | 4 ++++ |
| 10 | src/tls-gnu.c | 8 ++++++++ |
| 11 | 2 files changed, 12 insertions(+) |
| 12 | |
| 13 | --- a/doc/ChangeLog |
| 14 | +++ b/doc/ChangeLog |
| 15 | @@ -42,6 +42,10 @@ JH/11 Harden plaintext authenticator aga |
| 16 | JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the |
| 17 | verification result was not updated unless hosts_require_ocsp applied. |
| 18 | |
| 19 | +JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in |
| 20 | + directory-of-certs mode. Previously they were advertised despite the |
| 21 | + documentation. |
| 22 | + |
| 23 | |
| 24 | Exim version 4.92 |
| 25 | ----------------- |
| 26 | --- a/src/tls-gnu.c |
| 27 | +++ b/src/tls-gnu.c |
| 28 | @@ -1133,6 +1133,14 @@ else |
| 29 | #endif |
| 30 | gnutls_certificate_set_x509_trust_file(state->x509_cred, |
| 31 | CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM); |
| 32 | + |
| 33 | +#ifdef SUPPORT_CA_DIR |
| 34 | + /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list |
| 35 | + when using the directory-of-certs config model. */ |
| 36 | + |
| 37 | + if ((statbuf.st_mode & S_IFMT) == S_IFDIR) |
| 38 | + gnutls_certificate_send_x509_rdn_sequence(state->session, 1); |
| 39 | +#endif |
| 40 | } |
| 41 | |
| 42 | if (cert_count < 0) |