lib-ssl-iostream: Fix ambiguity with SSL settings

 - lib-ssl-iostream as client: Use only allow_invalid_cert. If it's not set, verify the server cert.
 - lib-ssl-iostream as server: If verify_client_cert=FALSE, don't ask for the client cert. Otherwise, ask for client cert but still allow it if allow_invalid_cert=TRUE.

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 31d81bdf0c39a9a03050fc84655f0c71899f52f8..36b960c777b89f26f0e578a4ef2b9fbca2dad1eb 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -544,10 +544,14 @@ int openssl_iostream_context_init_client(const struct ssl_iostream_settings *set
                                         struct ssl_iostream_context **ctx_r,
                                         const char **error_r)
 {
+       struct ssl_iostream_settings set_copy = *set;
        struct ssl_iostream_context *ctx;
        SSL_CTX *ssl_ctx;
 
-       if (ssl_iostream_init_global(set, error_r) < 0)
+       /* ensure this is set to TRUE */
+       set_copy.verify_remote_cert = TRUE;
+
+       if (ssl_iostream_init_global(&set_copy, error_r) < 0)
                return -1;
        if ((ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
                *error_r = t_strdup_printf("SSL_CTX_new() failed: %s",
@@ -559,7 +563,7 @@ int openssl_iostream_context_init_client(const struct ssl_iostream_settings *set
        ctx = i_new(struct ssl_iostream_context, 1);
        ctx->ssl_ctx = ssl_ctx;
        ctx->client_ctx = TRUE;
-       if (ssl_iostream_context_init_common(ctx, set, error_r) < 0) {
+       if (ssl_iostream_context_init_common(ctx, &set_copy, error_r) < 0) {
                ssl_iostream_context_deinit(&ctx);
                return -1;
        }