lib-ssl-iostream: Don't require SSL CA certs if require_valid_cert==FALSE

This happened only when verify_remote_cert was also TRUE. But this behavior
now allows verifying the cert without actually requiring it to be valid.

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 51d2483761c2fe4260b007fa42ef58bb9614802f..188ea7609edb09ceefdb8eabf1ee0b5ce93df91a 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -310,7 +310,7 @@ ssl_iostream_context_load_ca(struct ssl_iostream_context *ctx,
                have_ca = TRUE;
        }
 
-       if (!have_ca) {
+       if (!have_ca && set->require_valid_cert) {
                *error_r = !ctx->client_ctx ?
                        "Can't verify remote client certs without CA (ssl_ca setting)" :
                        "Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)";