From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Fri, 8 Aug 2025 11:54:54 +0000 (+0300)
Subject: lib-http, lib-smtp: Retry requests on unexpected SSL handshake failures
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=845b65e15d952c93984652676fe27b6e984cfcfb;p=thirdparty%2Fdovecot%2Fcore.git

lib-http, lib-smtp: Retry requests on unexpected SSL handshake failures

Retrying should be disabled only when certificate is invalid, not for other
handshake errors.
---

diff --git a/src/lib-http/http-client-connection.c b/src/lib-http/http-client-connection.c
index 9dbd569399..0edeaeb48a 100644
--- a/src/lib-http/http-client-connection.c
+++ b/src/lib-http/http-client-connection.c
@@ -280,7 +280,10 @@ void http_client_connection_lost(struct http_client_connection **_conn,
 			error = t_strdup_printf("%s (last SSL error: %s)",
 						error, sslerr);
 		}
-		if (ssl_iostream_has_handshake_failed(conn->ssl_iostream)) {
+		enum ssl_iostream_state state =
+			ssl_iostream_get_state(conn->ssl_iostream);
+		if (state == SSL_IOSTREAM_STATE_INVALID_CERT ||
+		    state == SSL_IOSTREAM_STATE_NAME_MISMATCH) {
 			/* This isn't really a "connection lost", but that we
 			   don't trust the remote's SSL certificate. don't
 			   retry. */
diff --git a/src/lib-smtp/smtp-client-connection.c b/src/lib-smtp/smtp-client-connection.c
index 7451dfff8a..0c48fb5393 100644
--- a/src/lib-smtp/smtp-client-connection.c
+++ b/src/lib-smtp/smtp-client-connection.c
@@ -443,7 +443,10 @@ smtp_client_connection_lost(struct smtp_client_connection *conn,
 			error = t_strdup_printf(
 				"Connection lost (last SSL error: %s)", sslerr);
 		}
-		if (ssl_iostream_has_handshake_failed(conn->ssl_iostream)) {
+		enum ssl_iostream_state state =
+			ssl_iostream_get_state(conn->ssl_iostream);
+		if (state == SSL_IOSTREAM_STATE_INVALID_CERT ||
+		    state == SSL_IOSTREAM_STATE_NAME_MISMATCH) {
 			/* This isn't really a "connection lost", but that we
 			   don't trust the remote's SSL certificate. */
 			i_assert(error != NULL);