From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Mon, 20 Feb 2017 07:32:15 +0000 (+0200)
Subject: lib-ssl-iostream: Fix ambiguity with SSL settings
X-Git-Tag: 2.3.0.rc1~2002
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=38424b8081a75be3ef93729fed4d30dbafca5885;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Fix ambiguity with SSL settings

 - lib-ssl-iostream as client: Use only allow_invalid_cert. If it's not set, verify the server cert.
 - lib-ssl-iostream as server: If verify_client_cert=FALSE, don't ask for the client cert. Otherwise, ask for client cert but still allow it if allow_invalid_cert=TRUE.
---

diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c
index 31d81bdf0c..36b960c777 100644
--- a/src/lib-ssl-iostream/iostream-openssl-context.c
+++ b/src/lib-ssl-iostream/iostream-openssl-context.c
@@ -544,10 +544,14 @@ int openssl_iostream_context_init_client(const struct ssl_iostream_settings *set
 					 struct ssl_iostream_context **ctx_r,
 					 const char **error_r)
 {
+	struct ssl_iostream_settings set_copy = *set;
 	struct ssl_iostream_context *ctx;
 	SSL_CTX *ssl_ctx;
 
-	if (ssl_iostream_init_global(set, error_r) < 0)
+	/* ensure this is set to TRUE */
+	set_copy.verify_remote_cert = TRUE;
+
+	if (ssl_iostream_init_global(&set_copy, error_r) < 0)
 		return -1;
 	if ((ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) {
 		*error_r = t_strdup_printf("SSL_CTX_new() failed: %s",
@@ -559,7 +563,7 @@ int openssl_iostream_context_init_client(const struct ssl_iostream_settings *set
 	ctx = i_new(struct ssl_iostream_context, 1);
 	ctx->ssl_ctx = ssl_ctx;
 	ctx->client_ctx = TRUE;
-	if (ssl_iostream_context_init_common(ctx, set, error_r) < 0) {
+	if (ssl_iostream_context_init_common(ctx, &set_copy, error_r) < 0) {
 		ssl_iostream_context_deinit(&ctx);
 		return -1;
 	}