From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Sun, 13 Oct 2019 18:06:12 +0000 (+0300)
Subject: doveadm: Setup ssl connection when ssl_flags require it
X-Git-Tag: 2.3.9~101
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=34d90053451d76602aa51dac8df954c0429e7ed2;p=thirdparty%2Fdovecot%2Fcore.git

doveadm: Setup ssl connection when ssl_flags require it
---

diff --git a/src/doveadm/doveadm-dsync.c b/src/doveadm/doveadm-dsync.c
index 8055a29753..a0621196fe 100644
--- a/src/doveadm/doveadm-dsync.c
+++ b/src/doveadm/doveadm-dsync.c
@@ -856,6 +856,7 @@ dsync_connect_tcp(struct dsync_cmd_context *ctx,
 				"Couldn't initialize SSL context: %s", error);
 			return -1;
 		}
+		server->ssl_flags = PROXY_SSL_FLAG_YES;
 		server->ssl_ctx = ctx->ssl_ctx;
 	}
 	p_array_init(&server->connections, ctx->ctx.pool, 1);
diff --git a/src/doveadm/doveadm-server.h b/src/doveadm/doveadm-server.h
index 170a554052..6bf80aaaa6 100644
--- a/src/doveadm/doveadm-server.h
+++ b/src/doveadm/doveadm-server.h
@@ -4,11 +4,23 @@
 extern struct client_connection *doveadm_client;
 extern struct doveadm_print_vfuncs doveadm_print_server_vfuncs;
 
+enum doveadm_proxy_ssl_flags {
+	/* Use SSL/TLS enabled */
+	PROXY_SSL_FLAG_YES	= 0x01,
+	/* Don't do SSL handshake immediately after connected */
+	PROXY_SSL_FLAG_STARTTLS	= 0x02,
+	/* Don't require that the received certificate is valid */
+	PROXY_SSL_FLAG_ANY_CERT	= 0x04
+};
+
 struct doveadm_server {
 	/* host:port */
 	const char *name;
 	/* host only */
 	const char *hostname;
+
+	/* ssl related settings */
+	enum doveadm_proxy_ssl_flags ssl_flags;
 	struct ssl_iostream_context *ssl_ctx;
 
 	ARRAY(struct server_connection *) connections;
diff --git a/src/doveadm/server-connection.c b/src/doveadm/server-connection.c
index 9ffa23e40e..51a4038037 100644
--- a/src/doveadm/server-connection.c
+++ b/src/doveadm/server-connection.c
@@ -492,13 +492,25 @@ static int server_connection_init_ssl(struct server_connection *conn,
 	struct ssl_iostream_settings ssl_set;
 	const char *error;
 
-	if (conn->server->ssl_ctx == NULL)
+	if (conn->server->ssl_flags == 0)
 		return 0;
 
-	doveadm_get_ssl_settings(&ssl_set, conn->pool);
+	doveadm_get_ssl_settings(&ssl_set, pool_datastack_create());
+
+	if ((conn->server->ssl_flags & PROXY_SSL_FLAG_ANY_CERT) != 0)
+		ssl_set.allow_invalid_cert = TRUE;
 	if (ssl_set.allow_invalid_cert)
 		ssl_set.verbose_invalid_cert = TRUE;
 
+	if (conn->server->ssl_ctx == NULL &&
+	    ssl_iostream_client_context_cache_get(&ssl_set,
+						  &conn->server->ssl_ctx,
+						  &error) < 0) {
+		*error_r = t_strdup_printf(
+			"Couldn't initialize SSL client: %s", error);
+		return -1;
+	}
+
 	if (io_stream_create_ssl_client(conn->server->ssl_ctx,
 					conn->server->hostname, &ssl_set,
 					&conn->input, &conn->output,