From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Fri, 14 Feb 2025 13:29:33 +0000 (+0200)
Subject: login-common: Allow invalid client cert if ssl_server_request_client_cert=any-cert
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=05d6efb3ec73714de368f1521a450642de10a2c7;p=thirdparty%2Fdovecot%2Fcore.git

login-common: Allow invalid client cert if ssl_server_request_client_cert=any-cert
---

diff --git a/src/login-common/client-common.c b/src/login-common/client-common.c
index 20b79cc59e..3aaddb7ed3 100644
--- a/src/login-common/client-common.c
+++ b/src/login-common/client-common.c
@@ -1360,7 +1360,8 @@ bool client_get_extra_disconnect_reason(struct client *client,
 			*human_reason_r = "client didn't send a cert";
 			return TRUE;
 		}
-		if (!ssl_iostream_has_valid_client_cert(client->ssl_iostream)) {
+		if (client->ssl_server_set->parsed_opts.verify_client_cert &&
+		    !ssl_iostream_has_valid_client_cert(client->ssl_iostream)) {
 			*event_reason_r = "client_ssl_cert_untrusted";
 			*human_reason_r = "client sent an untrusted cert";
 			return TRUE;