From: Aki Tuomi Date: Mon, 23 Jul 2018 09:40:15 +0000 (+0300) Subject: lib-ssl-iostream: Always fall back to default CAs for client contexts X-Git-Tag: 2.3.6~120 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=89010c6506e97810f81b563037f9cd20b68faf44;p=thirdparty%2Fdovecot%2Fcore.git lib-ssl-iostream: Always fall back to default CAs for client contexts When creating a client context, we always try to load the default CA, if no CA settings have been provided. This makes it also possible to allow invalid certs without specifying ssl_client_ca settings, and also makes dovecot trust system store by default for outgoing connections. --- diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index a34c0fd963..c4a614f65b 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -354,17 +354,15 @@ ssl_iostream_context_load_ca(struct ssl_iostream_context *ctx, } have_ca = TRUE; } - if (!have_ca && ctx->client_ctx && !set->allow_invalid_cert) { + if (!have_ca && ctx->client_ctx) { if (SSL_CTX_set_default_verify_paths(ctx->ssl_ctx) != 1) { *error_r = t_strdup_printf( "Can't load default CA locations: %s (ssl_client_ca_* settings missing)", openssl_iostream_error()); return -1; } - } else if (!have_ca && !set->allow_invalid_cert) { - *error_r = !ctx->client_ctx ? - "Can't verify remote client certs without CA (ssl_ca setting)" : - "Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)"; + } else if (!have_ca) { + *error_r = "Can't verify remote client certs without CA (ssl_ca setting)"; return -1; } return 0;