]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
projects / thirdparty / dovecot / core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: c860677)
lib-http, lib-smtp: Retry requests on unexpected SSL handshake failures
authorTimo Sirainen <timo.sirainen@open-xchange.com>
Fri, 8 Aug 2025 11:54:54 +0000 (14:54 +0300)
committeraki.tuomi <aki.tuomi@open-xchange.com>
Mon, 11 Aug 2025 07:47:35 +0000 (07:47 +0000)
Retrying should be disabled only when certificate is invalid, not for other
handshake errors.

src/lib-http/http-client-connection.c patch | blob | blame | history
src/lib-smtp/smtp-client-connection.c patch | blob | blame | history

diff --git a/src/lib-http/http-client-connection.c b/src/lib-http/http-client-connection.c
index 9dbd569399d41e6a2b77841a695a81492cec8b52..0edeaeb48ad28927db93ac6f03ecaf747027d2c3 100644 (file)
--- a/src/lib-http/http-client-connection.c
+++ b/src/lib-http/http-client-connection.c
@@ -280,7 +280,10 @@ void http_client_connection_lost(struct http_client_connection **_conn,
                        error = t_strdup_printf("%s (last SSL error: %s)",
                                                error, sslerr);
                }
-               if (ssl_iostream_has_handshake_failed(conn->ssl_iostream)) {
+               enum ssl_iostream_state state =
+                       ssl_iostream_get_state(conn->ssl_iostream);
+               if (state == SSL_IOSTREAM_STATE_INVALID_CERT ||
+                   state == SSL_IOSTREAM_STATE_NAME_MISMATCH) {
                        /* This isn't really a "connection lost", but that we
                           don't trust the remote's SSL certificate. don't
                           retry. */
diff --git a/src/lib-smtp/smtp-client-connection.c b/src/lib-smtp/smtp-client-connection.c
index 7451dfff8a2e699c3d6dacfd77325d6bfdcf26f1..0c48fb5393602713d5723652979d5efbcc247310 100644 (file)
--- a/src/lib-smtp/smtp-client-connection.c
+++ b/src/lib-smtp/smtp-client-connection.c
@@ -443,7 +443,10 @@ smtp_client_connection_lost(struct smtp_client_connection *conn,
                        error = t_strdup_printf(
                                "Connection lost (last SSL error: %s)", sslerr);
                }
-               if (ssl_iostream_has_handshake_failed(conn->ssl_iostream)) {
+               enum ssl_iostream_state state =
+                       ssl_iostream_get_state(conn->ssl_iostream);
+               if (state == SSL_IOSTREAM_STATE_INVALID_CERT ||
+                   state == SSL_IOSTREAM_STATE_NAME_MISMATCH) {
                        /* This isn't really a "connection lost", but that we
                           don't trust the remote's SSL certificate. */
                        i_assert(error != NULL);
Mirror of https://github.com/dovecot/core.git