login-common: Indicate TLS encryption if haproxy says it was

author Aki Tuomi <aki.tuomi@dovecot.fi>

Fri, 1 Dec 2017 11:16:34 +0000 (13:16 +0200)

committer Ville Savolainen <ville.savolainen@dovecot.fi>

Tue, 13 Mar 2018 12:09:40 +0000 (14:09 +0200)
author Aki Tuomi <aki.tuomi@dovecot.fi>
Fri, 1 Dec 2017 11:16:34 +0000 (13:16 +0200)
committer Ville Savolainen <ville.savolainen@dovecot.fi>
Tue, 13 Mar 2018 12:09:40 +0000 (14:09 +0200)
diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c

index 348db634cdd7fc80f2de3bfe5bcb60d114cc5675..ba92802052421857203ba9d6bbc40d822cf5c64e 100644 (file)
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -193,6 +193,7 @@ client_alloc(int fd, pool_t pool,
         client->trusted = client_is_trusted(client);
  
         if (conn->proxied) {
+               client->proxied_ssl = conn->proxy.ssl;
                 client->secured = conn->proxy.ssl || client->trusted;
                 client->ssl_secured = conn->proxy.ssl;
                 client->local_name = conn->proxy.hostname;
@@ -760,6 +761,9 @@ get_var_expand_table(struct client *client)
         if (!client->tls) {
                 tab[11].value = client->secured ? "secured" : NULL;
                 tab[12].value = "";
+       } else if (client->proxied_ssl) {
+               tab[11].value = "TLS";
+               tab[12].value = "(proxied)";
         } else {
                 const char *ssl_state =
                         ssl_iostream_is_handshaked(client->ssl_iostream) ?
diff --git a/src/login-common/client-common.h b/src/login-common/client-common.h

index 62ff639e7b70e640b5fbab77a0cdea04ab5223fe..b18a30a5e4fc1c2a320a34fec0071eaf63f6eef4 100644 (file)
--- a/src/login-common/client-common.h
+++ b/src/login-common/client-common.h
@@ -210,6 +210,7 @@ struct client {
         bool no_extra_disconnect_reason:1;
         bool starttls:1;
         bool tls:1;
+       bool proxied_ssl:1;
         bool secured:1;
         bool ssl_secured:1;
         bool trusted:1;
diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c

index b2dbb38feccb2b30ad011042fbdec0c8c3850a41..2b8c2dac76dec4f9581c7bbfbc47a82088d0552f 100644 (file)
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -68,6 +68,8 @@ client_get_auth_flags(struct client *client)
         if (client->ssl_iostream != NULL &&
             ssl_iostream_has_valid_client_cert(client->ssl_iostream))
                 auth_flags |= AUTH_REQUEST_FLAG_VALID_CLIENT_CERT;
+       if (client->tls)
+               auth_flags |= AUTH_REQUEST_FLAG_TRANSPORT_SECURITY_TLS;
         if (client->secured)
                 auth_flags |= AUTH_REQUEST_FLAG_SECURED;
         if (login_binary->sasl_support_final_reply)
author	Aki Tuomi <aki.tuomi@dovecot.fi>
	Fri, 1 Dec 2017 11:16:34 +0000 (13:16 +0200)
committer	Ville Savolainen <ville.savolainen@dovecot.fi>
	Tue, 13 Mar 2018 12:09:40 +0000 (14:09 +0200)
src/login-common/client-common.c		patch \| blob \| blame \| history
src/login-common/client-common.h		patch \| blob \| blame \| history
src/login-common/sasl-server.c		patch \| blob \| blame \| history