]> git.ipfire.org Git - thirdparty/dovecot/core.git/commitdiff
lib-ssl-iostream: Don't require SSL CA certs if allow_invalid_cert=TRUE
authorTimo Sirainen <timo.sirainen@dovecot.fi>
Fri, 7 Apr 2017 13:13:13 +0000 (16:13 +0300)
committerTimo Sirainen <timo.sirainen@dovecot.fi>
Fri, 7 Apr 2017 13:19:21 +0000 (16:19 +0300)
This happened only when verify_remote_cert was also TRUE. But this behavior
now allows verifying the cert without actually requiring it to be valid.

src/lib-ssl-iostream/iostream-openssl-context.c

index 36b960c777b89f26f0e578a4ef2b9fbca2dad1eb..229a880ffef51b7c7d069c541848a88be0031021 100644 (file)
@@ -342,7 +342,7 @@ ssl_iostream_context_load_ca(struct ssl_iostream_context *ctx,
                have_ca = TRUE;
        }
 
-       if (!have_ca) {
+       if (!have_ca && !set->allow_invalid_cert) {
                *error_r = !ctx->client_ctx ?
                        "Can't verify remote client certs without CA (ssl_ca setting)" :
                        "Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)";