1 files changed, 42 insertions, 0 deletions

diff --git a/debian/patches/75_12-GnuTLS-fix-the-advertising-of-acceptable-certs-by-th.patch b/debian/patches/75_12-GnuTLS-fix-the-advertising-of-acceptable-certs-by-th.patch
new file mode 100644
index 0000000..5b98faa
--- /dev/null
+++ b/debian/patches/75_12-GnuTLS-fix-the-advertising-of-acceptable-certs-by-th.patch
@@ -0,0 +1,42 @@
+From 44893ba5249c6c6d5a0d62a1cc57ba3fbf7185b4 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Sun, 19 May 2019 12:12:36 +0100
+Subject: [PATCH 1/2] GnuTLS: fix the advertising of acceptable certs by the
+ server.  Bug 2389
+
+(cherry picked from commit 12d95aa62042377fc9f603245a17a43142972447)
+---
+ doc/ChangeLog | 4 ++++
+ src/tls-gnu.c     | 8 ++++++++
+ 2 files changed, 12 insertions(+)
+
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -42,6 +42,10 @@ JH/11 Harden plaintext authenticator aga
+ JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
+       verification result was not updated unless hosts_require_ocsp applied.
+ 
++JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
++      directory-of-certs mode.  Previously they were advertised despite the
++      documentation.
++
+ 
+ Exim version 4.92
+ -----------------
+--- a/src/tls-gnu.c
++++ b/src/tls-gnu.c
+@@ -1133,6 +1133,14 @@ else
+ #endif
+     gnutls_certificate_set_x509_trust_file(state->x509_cred,
+       CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
++
++#ifdef SUPPORT_CA_DIR
++  /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
++  when using the directory-of-certs config model. */
++
++  if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
++    gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
++#endif
+   }
+ 
+ if (cert_count < 0)