lib-ssl-iostream: Changed require_valid_cert -> allow_invalid_cert

We should default to being safe.

diff --git a/src/doveadm/server-connection.c b/src/doveadm/server-connection.c
index 59562715daf6a29e4bb36013e5514f2507734253..2454c743efa5134a0c6cea8deb0784a75e73f1b7 100644 (file)
--- a/src/doveadm/server-connection.c
+++ b/src/doveadm/server-connection.c
@@ -433,7 +433,6 @@ static int server_connection_init_ssl(struct server_connection *conn)
 
        memset(&ssl_set, 0, sizeof(ssl_set));
        ssl_set.verify_remote_cert = TRUE;
-       ssl_set.require_valid_cert = TRUE;
        ssl_set.verbose_invalid_cert = TRUE;
 
        if (io_stream_create_ssl_client(conn->server->ssl_ctx,

diff --git a/src/lib-http/http-client-connection.c b/src/lib-http/http-client-connection.c
index d89b35647c5dc23c2a9ee2da9a0eb5b92f7b9f4b..fed1bba1687b335369936c5bd0ee26bb138259ab 100644 (file)
--- a/src/lib-http/http-client-connection.c
+++ b/src/lib-http/http-client-connection.c
@@ -1124,7 +1124,7 @@ http_client_connection_ssl_handshaked(const char **error_r, void *context)
 
        if (ssl_iostream_check_cert_validity(conn->ssl_iostream, host, &error) == 0)
                http_client_connection_debug(conn, "SSL handshake successful");
-       else if (!conn->client->set.ssl->require_valid_cert) {
+       else if (conn->client->set.ssl->allow_invalid_cert) {
                http_client_connection_debug(conn, "SSL handshake successful, "
                        "ignoring invalid certificate: %s", error);
        } else {
@@ -1144,10 +1144,9 @@ http_client_connection_ssl_init(struct http_client_connection *conn,
        i_assert(conn->client->ssl_ctx != NULL);
 
        memset(&ssl_set, 0, sizeof(ssl_set));
-       if (conn->client->set.ssl->require_valid_cert) {
+       if (!conn->client->set.ssl->allow_invalid_cert) {
                ssl_set.verbose_invalid_cert = TRUE;
                ssl_set.verify_remote_cert = TRUE;
-               ssl_set.require_valid_cert = TRUE;
        }
 
        if (conn->client->set.debug)

diff --git a/src/lib-http/test-http-client.c b/src/lib-http/test-http-client.c
index a98328abd2f1e06ee105df9d47d7a6d8ca0b9b74..7f34f469ed1b2adf18b5e9b8b16c01b1d619a213 100644 (file)
--- a/src/lib-http/test-http-client.c
+++ b/src/lib-http/test-http-client.c
@@ -360,7 +360,7 @@ int main(int argc, char *argv[])
                i_fatal("Couldn't initialize DNS client: %s", error);
 
        memset(&ssl_set, 0, sizeof(ssl_set));
-       ssl_set.require_valid_cert = FALSE;
+       ssl_set.allow_invalid_cert = TRUE;
        ssl_set.ca_dir = "/etc/ssl/certs"; /* debian */
        ssl_set.ca_file = "/etc/pki/tls/cert.pem"; /* redhat */
 

diff --git a/src/lib-imap-client/imapc-connection.c b/src/lib-imap-client/imapc-connection.c
index a6bc16eea328792e56f63542ad5f15a2467f9311..8ffd059d668e48747aa945d26ed83629f8ad7922 100644 (file)
--- a/src/lib-imap-client/imapc-connection.c
+++ b/src/lib-imap-client/imapc-connection.c
@@ -1500,7 +1500,6 @@ static int imapc_connection_ssl_init(struct imapc_connection *conn)
        if (conn->client->set.ssl_verify) {
                ssl_set.verbose_invalid_cert = TRUE;
                ssl_set.verify_remote_cert = TRUE;
-               ssl_set.require_valid_cert = TRUE;
        }
 
        if (conn->client->set.debug)

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index db5c1216fcd344c71de245c0b44c35f35fc0a971..955010233e256df947b25f9dcf6dbe3ddc54b9d1 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -132,7 +132,7 @@ openssl_iostream_verify_client_cert(int preverify_ok, X509_STORE_CTX *ctx)
        }
        if (preverify_ok == 0) {
                ssl_io->cert_broken = TRUE;
-               if (ssl_io->require_valid_cert) {
+               if (!ssl_io->allow_invalid_cert) {
                        ssl_io->handshake_failed = TRUE;
                        return 0;
                }
@@ -199,7 +199,7 @@ openssl_iostream_set(struct ssl_iostream *ssl_io,
 
        ssl_io->verbose = set->verbose;
        ssl_io->verbose_invalid_cert = set->verbose_invalid_cert || set->verbose;
-       ssl_io->require_valid_cert = set->require_valid_cert;
+       ssl_io->allow_invalid_cert = set->allow_invalid_cert;
        return 0;
 }
 

diff --git a/src/lib-ssl-iostream/iostream-openssl.h b/src/lib-ssl-iostream/iostream-openssl.h
index 07f830cc24ddceab1f95262676536b2b22debff1..3bfefbf23c9e0e22797948291cdba3fd88723356 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl.h
+++ b/src/lib-ssl-iostream/iostream-openssl.h
@@ -36,7 +36,7 @@ struct ssl_iostream {
        int plain_stream_errno;
 
        /* copied settings */
-       bool verbose, verbose_invalid_cert, require_valid_cert;
+       bool verbose, verbose_invalid_cert, allow_invalid_cert;
        int username_nid;
 
        ssl_iostream_handshake_callback_t *handshake_callback;

diff --git a/src/lib-ssl-iostream/iostream-ssl.h b/src/lib-ssl-iostream/iostream-ssl.h
index 930d099e7199cfddd5f2dbfd6a189cfaa34aba51..79d5e0d2b297b1acb815489b1dbd26b7ed4d92b4 100644 (file)
--- a/src/lib-ssl-iostream/iostream-ssl.h
+++ b/src/lib-ssl-iostream/iostream-ssl.h
@@ -16,7 +16,7 @@ struct ssl_iostream_settings {
 
        bool verbose, verbose_invalid_cert; /* stream-only */
        bool verify_remote_cert; /* neither/both */
-       bool require_valid_cert; /* stream-only */
+       bool allow_invalid_cert; /* stream-only */
        bool prefer_server_ciphers;
        bool compression;
        bool tickets;

diff --git a/src/lib-storage/index/pop3c/pop3c-client.c b/src/lib-storage/index/pop3c/pop3c-client.c
index e11c24425b2a4ed0520195e06fc0294ac3ab7f2c..23fca7e271121c2b1e58ab294bc8c84c1547b380 100644 (file)
--- a/src/lib-storage/index/pop3c/pop3c-client.c
+++ b/src/lib-storage/index/pop3c/pop3c-client.c
@@ -570,7 +570,6 @@ static int pop3c_client_ssl_init(struct pop3c_client *client)
        if (client->set.ssl_verify) {
                ssl_set.verbose_invalid_cert = TRUE;
                ssl_set.verify_remote_cert = TRUE;
-               ssl_set.require_valid_cert = TRUE;
        }
 
        if (client->set.debug)