From 74b7b25c4ef1175fe1cd12fbd56a287b8c80595b Mon Sep 17 00:00:00 2001 From: Timo Sirainen Date: Wed, 1 Nov 2017 01:38:19 +0200 Subject: [PATCH] lib-ssl-iostream: io_stream_create_ssl_client() - Move code to set verify_remote_cert=TRUE Enable it in the generic SSL code instead of OpenSSL-specific code. --- src/lib-ssl-iostream/iostream-openssl-context.c | 8 ++------ src/lib-ssl-iostream/iostream-ssl.c | 7 ++++++- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index d05e0c208a..ae35005fa1 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -577,14 +577,10 @@ int openssl_iostream_context_init_client(const struct ssl_iostream_settings *set struct ssl_iostream_context **ctx_r, const char **error_r) { - struct ssl_iostream_settings set_copy = *set; struct ssl_iostream_context *ctx; SSL_CTX *ssl_ctx; - /* ensure this is set to TRUE */ - set_copy.verify_remote_cert = TRUE; - - if (ssl_iostream_init_global(&set_copy, error_r) < 0) + if (ssl_iostream_init_global(set, error_r) < 0) return -1; if ((ssl_ctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { *error_r = t_strdup_printf("SSL_CTX_new() failed: %s", @@ -597,7 +593,7 @@ int openssl_iostream_context_init_client(const struct ssl_iostream_settings *set ctx->refcount = 1; ctx->ssl_ctx = ssl_ctx; ctx->client_ctx = TRUE; - if (ssl_iostream_context_init_common(ctx, &set_copy, error_r) < 0) { + if (ssl_iostream_context_init_common(ctx, set, error_r) < 0) { ssl_iostream_context_unref(&ctx); return -1; } diff --git a/src/lib-ssl-iostream/iostream-ssl.c b/src/lib-ssl-iostream/iostream-ssl.c index 228c982eaf..2daa04e1b1 100644 --- a/src/lib-ssl-iostream/iostream-ssl.c +++ b/src/lib-ssl-iostream/iostream-ssl.c @@ -80,11 +80,16 @@ int ssl_iostream_context_init_client(const struct ssl_iostream_settings *set, struct ssl_iostream_context **ctx_r, const char **error_r) { + struct ssl_iostream_settings set_copy = *set; + + /* ensure this is set to TRUE */ + set_copy.verify_remote_cert = TRUE; + if (!ssl_module_loaded) { if (ssl_module_load(error_r) < 0) return -1; } - return ssl_vfuncs->context_init_client(set, ctx_r, error_r); + return ssl_vfuncs->context_init_client(&set_copy, ctx_r, error_r); } int ssl_iostream_context_init_server(const struct ssl_iostream_settings *set, -- 2.47.3