lib-ssl-iostream: Always fall back to default CAs for client contexts

When creating a client context, we always try to load the default
CA, if no CA settings have been provided. This makes it also possible
to allow invalid certs without specifying ssl_client_ca settings,
and also makes dovecot trust system store by default for outgoing
connections.

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index a34c0fd96382a0178d7aa883429dea28b2ce38d8..c4a614f65bfaa8094429ff2323bc01be91f577dc 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -354,17 +354,15 @@ ssl_iostream_context_load_ca(struct ssl_iostream_context *ctx,
                }
                have_ca = TRUE;
        }
-       if (!have_ca && ctx->client_ctx && !set->allow_invalid_cert) {
+       if (!have_ca && ctx->client_ctx) {
                if (SSL_CTX_set_default_verify_paths(ctx->ssl_ctx) != 1) {
                        *error_r = t_strdup_printf(
                                "Can't load default CA locations: %s (ssl_client_ca_* settings missing)",
                                openssl_iostream_error());
                        return -1;
                }
-       } else if (!have_ca && !set->allow_invalid_cert) {
-               *error_r = !ctx->client_ctx ?
-                       "Can't verify remote client certs without CA (ssl_ca setting)" :
-                       "Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)";
+       } else if (!have_ca) {
+               *error_r = "Can't verify remote client certs without CA (ssl_ca setting)";
                return -1;
        }
        return 0;