is forwarded to the config client process, which errors out only if
the settings struct is attempted to be used. This allows for example
doveadm to be called non-root and not fail even if it can't access
- ssl_key_file. */
+ ssl_server_key_file. */
const char *delayed_error;
};
ARRAY_DEFINE_TYPE(config_module_parsers, struct config_module_parser *);
Otherwise the SMTP SNI mechanism will break when looking up the
relevant settings. */
const char *const settings[] = {
- "ssl_ca_file", settings_file_get_value(unsafe_data_stack_pool,
- &server_set->ssl->ca),
- "ssl_cert_file", settings_file_get_value(unsafe_data_stack_pool,
- &server_set->ssl->cert.cert),
- "ssl_key_file", settings_file_get_value(unsafe_data_stack_pool,
- &server_set->ssl->cert.key),
+ "ssl_server_ca_file",
+ settings_file_get_value(unsafe_data_stack_pool,
+ &server_set->ssl->ca),
+ "ssl_server_cert_file",
+ settings_file_get_value(unsafe_data_stack_pool,
+ &server_set->ssl->cert.cert),
+ "ssl_server_key_file",
+ settings_file_get_value(unsafe_data_stack_pool,
+ &server_set->ssl->cert.key),
NULL,
};
struct settings_simple test_set;
Otherwise the SMTP SNI mechanism will break when looking up the
relevant settings. */
const char *const settings[] = {
- "ssl_ca_file",
+ "ssl_server_ca_file",
(server_set->ssl == NULL ? "" :
settings_file_get_value(unsafe_data_stack_pool,
&server_set->ssl->ca)),
- "ssl_cert_file",
+ "ssl_server_cert_file",
(server_set->ssl == NULL ? "" :
settings_file_get_value(unsafe_data_stack_pool,
&server_set->ssl->cert.cert)),
- "ssl_key_file",
+ "ssl_server_key_file",
(server_set->ssl == NULL ? "" :
settings_file_get_value(unsafe_data_stack_pool,
&server_set->ssl->cert.key)),
if (ERR_GET_LIB(err) == ERR_LIB_X509 &&
ERR_GET_REASON(err) == X509_R_KEY_VALUES_MISMATCH)
- return "Key is for a different cert than ssl_cert_file";
+ return "Key is for a different cert than ssl_server_cert_file";
else
return openssl_iostream_error();
}
return openssl_iostream_error();
else if (is_pem_key(cert)) {
return "The file contains a private key "
- "(you've mixed ssl_cert_file and ssl_key_file settings)";
+ "(you've mixed ssl_server_cert_file and ssl_server_key_file settings)";
} else {
return "There is no valid PEM certificate.";
}
SSL_get_ex_data(ssl, dovecot_ssl_extdata_index);
e_error(ssl_io->event, "Diffie-Hellman key exchange requested, "
- "but no DH parameters provided. Set ssl_dh_file=/path/to/dh.pem");
+ "but no DH parameters provided. Set ssl_server_dh_file=/path/to/dh.pem");
return NULL;
}
#endif
"Couldn't parse private SSL key (%s setting)%s: %s",
set_name,
ctx.password != NULL ?
- " (maybe ssl_key_password is wrong?)" :
+ " (maybe ssl_server_key_password is wrong?)" :
"",
openssl_iostream_error());
}
#endif
{
*error_r = t_strdup_printf(
- "Can't load DH parameters (ssl_dh_file setting): %s",
+ "Can't load DH parameters (ssl_server_dh_file setting): %s",
openssl_iostream_key_load_error());
ret = -1;
}
if (set->ca.content != NULL && set->ca.content[0] != '\0') {
store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
if (load_ca(store, set->ca.content, &xnames) < 0) {
- *error_r = t_strdup_printf("Couldn't parse ssl_ca_file: %s",
- openssl_iostream_error());
+ *error_r = t_strdup_printf(
+ "Couldn't parse ssl_server_ca_file: %s",
+ openssl_iostream_error());
return -1;
}
ssl_iostream_ctx_verify_remote_cert(ctx, set, xnames);
return -1;
}
} else if (!have_ca) {
- *error_r = "Can't verify remote client certs without CA (ssl_ca_file setting)";
+ *error_r = "Can't verify remote client certs without CA (ssl_server_ca_file setting)";
return -1;
}
return 0;
}
/* Client can ignore an empty ssl_client_cert_file, but server will fail
- if ssl_cert_file is empty. */
+ if ssl_server_cert_file is empty. */
if (set->cert.cert.content != NULL &&
(set->cert.cert.content[0] != '\0' || !ctx->client_ctx) &&
ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->cert.cert.content) == 0) {
*error_r = t_strdup_printf(
- "Can't load SSL certificate (ssl_cert_file setting): %s",
+ "Can't load SSL certificate (ssl_server_cert_file setting): %s",
openssl_iostream_use_certificate_error(set->cert.cert.content));
return -1;
}
if (set->cert.key.content != NULL && set->cert.key.content[0] != '\0') {
- if (ssl_iostream_ctx_use_key(ctx, "ssl_key_file",
+ if (ssl_iostream_ctx_use_key(ctx, "ssl_server_key_file",
&set->cert, error_r) < 0)
return -1;
}
ssl_ctx_use_certificate_chain(ctx->ssl_ctx, set->alt_cert.cert.content) == 0) {
*error_r = t_strdup_printf(
"Can't load alternative SSL certificate "
- "(ssl_alt_cert_file setting): %s",
+ "(ssl_server_alt_cert_file setting): %s",
openssl_iostream_use_certificate_error(set->alt_cert.cert.content));
return -1;
}
if (set->alt_cert.key.content != NULL &&
set->alt_cert.key.content[0] != '\0') {
- if (ssl_iostream_ctx_use_key(ctx, "ssl_alt_key_file",
+ if (ssl_iostream_ctx_use_key(ctx, "ssl_server_alt_key_file",
&set->alt_cert, error_r) < 0)
return -1;
}
ctx->username_nid = OBJ_txt2nid(set->cert_username_field);
if (ctx->username_nid == NID_undef) {
*error_r = t_strdup_printf(
- "Invalid ssl_cert_username_field: %s",
+ "Invalid ssl_server_cert_username_field: %s",
set->cert_username_field);
return -1;
}
X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), certname,
ssl_io->ctx->client_ctx ?
"ssl_client_ca_* settings?" :
- "ssl_ca_file setting?"));
+ "ssl_server_ca_file setting?"));
} else {
e_debug(ssl_io->event, "Received valid SSL certificate: %s", certname);
}
static const struct setting_define ssl_server_setting_defines[] = {
DEF(ENUM, ssl),
- DEF(FILE, ssl_ca_file),
- DEF(FILE, ssl_cert_file),
- DEF(FILE, ssl_key_file),
- DEF(FILE, ssl_alt_cert_file),
- DEF(FILE, ssl_alt_key_file),
- DEF(STR, ssl_key_password),
- DEF(FILE, ssl_dh_file),
- DEF(STR, ssl_cert_username_field),
- DEF(ENUM, ssl_prefer_ciphers),
-
- DEF(BOOL, ssl_require_crl),
- DEF(BOOL, ssl_request_client_cert),
+ DEF(FILE, ssl_server_ca_file),
+ DEF(FILE, ssl_server_cert_file),
+ DEF(FILE, ssl_server_key_file),
+ DEF(FILE, ssl_server_alt_cert_file),
+ DEF(FILE, ssl_server_alt_key_file),
+ DEF(STR, ssl_server_key_password),
+ DEF(FILE, ssl_server_dh_file),
+ DEF(STR, ssl_server_cert_username_field),
+ DEF(ENUM, ssl_server_prefer_ciphers),
+
+ DEF(BOOL, ssl_server_require_crl),
+ DEF(BOOL, ssl_server_request_client_cert),
SETTING_DEFINE_LIST_END
};
static const struct ssl_server_settings ssl_server_default_settings = {
.ssl = "yes:no:required",
- .ssl_ca_file = "",
- .ssl_cert_file = "",
- .ssl_key_file = "",
- .ssl_alt_cert_file = "",
- .ssl_alt_key_file = "",
- .ssl_key_password = "",
- .ssl_dh_file = "",
- .ssl_cert_username_field = "commonName",
- .ssl_prefer_ciphers = "client:server",
-
- .ssl_require_crl = TRUE,
- .ssl_request_client_cert = FALSE,
+ .ssl_server_ca_file = "",
+ .ssl_server_cert_file = "",
+ .ssl_server_key_file = "",
+ .ssl_server_alt_cert_file = "",
+ .ssl_server_alt_key_file = "",
+ .ssl_server_key_password = "",
+ .ssl_server_dh_file = "",
+ .ssl_server_cert_username_field = "commonName",
+ .ssl_server_prefer_ciphers = "client:server",
+
+ .ssl_server_require_crl = TRUE,
+ .ssl_server_request_client_cert = FALSE,
};
const struct setting_parser_info ssl_server_setting_parser_info = {
return TRUE;
}
- if (set->ssl_request_client_cert && *set->ssl_ca_file == '\0') {
- *error_r = "ssl_request_client_cert set, but ssl_ca_file not";
+ if (set->ssl_server_request_client_cert &&
+ *set->ssl_server_ca_file == '\0') {
+ *error_r = "ssl_server_request_client_cert set, but ssl_server_ca_file not";
return FALSE;
}
return TRUE;
ssl_common_settings_to_iostream_set(ssl_set);
pool_add_external_ref(set->pool, ssl_server_set->pool);
- settings_file_get(ssl_server_set->ssl_ca_file, set->pool, &set->ca);
- settings_file_get(ssl_server_set->ssl_cert_file,
+ settings_file_get(ssl_server_set->ssl_server_ca_file, set->pool, &set->ca);
+ settings_file_get(ssl_server_set->ssl_server_cert_file,
set->pool, &set->cert.cert);
- settings_file_get(ssl_server_set->ssl_key_file,
+ settings_file_get(ssl_server_set->ssl_server_key_file,
set->pool, &set->cert.key);
- set->cert.key_password = ssl_server_set->ssl_key_password;
- if (ssl_server_set->ssl_alt_cert_file != NULL &&
- *ssl_server_set->ssl_alt_cert_file != '\0') {
- settings_file_get(ssl_server_set->ssl_alt_cert_file,
+ set->cert.key_password = ssl_server_set->ssl_server_key_password;
+ if (ssl_server_set->ssl_server_alt_cert_file != NULL &&
+ *ssl_server_set->ssl_server_alt_cert_file != '\0') {
+ settings_file_get(ssl_server_set->ssl_server_alt_cert_file,
set->pool, &set->alt_cert.cert);
- settings_file_get(ssl_server_set->ssl_alt_key_file,
+ settings_file_get(ssl_server_set->ssl_server_alt_key_file,
set->pool, &set->alt_cert.key);
- set->alt_cert.key_password = ssl_server_set->ssl_key_password;
+ set->alt_cert.key_password =
+ ssl_server_set->ssl_server_key_password;
}
- settings_file_get(ssl_server_set->ssl_dh_file, set->pool, &set->dh);
+ settings_file_get(ssl_server_set->ssl_server_dh_file,
+ set->pool, &set->dh);
set->cert_username_field =
- ssl_server_set->ssl_cert_username_field;
+ ssl_server_set->ssl_server_cert_username_field;
set->prefer_server_ciphers =
- strcmp(ssl_server_set->ssl_prefer_ciphers, "server") == 0;
- set->verify_remote_cert = ssl_server_set->ssl_request_client_cert;
+ strcmp(ssl_server_set->ssl_server_prefer_ciphers, "server") == 0;
+ set->verify_remote_cert = ssl_server_set->ssl_server_request_client_cert;
set->allow_invalid_cert = !set->verify_remote_cert;
- /* ssl_require_crl is used only for checking client-provided SSL
+ /* ssl_server_require_crl is used only for checking client-provided SSL
certificate's CRL. */
- set->skip_crl_check = !ssl_server_set->ssl_require_crl;
+ set->skip_crl_check = !ssl_server_set->ssl_server_require_crl;
*set_r = set;
}
pool_t pool;
const char *ssl;
- const char *ssl_ca_file;
- const char *ssl_cert_file;
- const char *ssl_alt_cert_file;
- const char *ssl_key_file;
- const char *ssl_alt_key_file;
- const char *ssl_key_password;
- const char *ssl_dh_file;
- const char *ssl_cert_username_field;
- const char *ssl_prefer_ciphers;
+ const char *ssl_server_ca_file;
+ const char *ssl_server_cert_file;
+ const char *ssl_server_alt_cert_file;
+ const char *ssl_server_key_file;
+ const char *ssl_server_alt_key_file;
+ const char *ssl_server_key_password;
+ const char *ssl_server_dh_file;
+ const char *ssl_server_cert_username_field;
+ const char *ssl_server_prefer_ciphers;
- bool ssl_require_crl;
- bool ssl_request_client_cert;
+ bool ssl_server_require_crl;
+ bool ssl_server_request_client_cert;
};
extern const struct setting_parser_info ssl_setting_parser_info;
projects / thirdparty / dovecot / core.git / commitdiff
