blob: 5b98faa453bdf0415b9983fa2e1e19e602c836b7 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
From 44893ba5249c6c6d5a0d62a1cc57ba3fbf7185b4 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sun, 19 May 2019 12:12:36 +0100
Subject: [PATCH 1/2] GnuTLS: fix the advertising of acceptable certs by the
server. Bug 2389
(cherry picked from commit 12d95aa62042377fc9f603245a17a43142972447)
---
doc/ChangeLog | 4 ++++
src/tls-gnu.c | 8 ++++++++
2 files changed, 12 insertions(+)
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -42,6 +42,10 @@ JH/11 Harden plaintext authenticator aga
JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
verification result was not updated unless hosts_require_ocsp applied.
+JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
+ directory-of-certs mode. Previously they were advertised despite the
+ documentation.
+
Exim version 4.92
-----------------
--- a/src/tls-gnu.c
+++ b/src/tls-gnu.c
@@ -1133,6 +1133,14 @@ else
#endif
gnutls_certificate_set_x509_trust_file(state->x509_cred,
CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+
+#ifdef SUPPORT_CA_DIR
+ /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
+ when using the directory-of-certs config model. */
+
+ if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+ gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
+#endif
}
if (cert_count < 0)
|
