if (conn->haproxied) {
client->proxied_ssl = conn->haproxy.ssl;
client->connection_secured = conn->haproxy.ssl || client->trusted;
- client->ssl_secured = conn->haproxy.ssl;
+ client->end_client_tls_secured = conn->haproxy.ssl;
client->local_name = conn->haproxy.hostname;
client->client_cert_common_name = conn->haproxy.cert_common_name;
} else {
client->tls = TRUE;
client->connection_secured = TRUE;
- client->ssl_secured = TRUE;
+ client->end_client_tls_secured = TRUE;
if (client->starttls) {
io_remove(&client->io);
doesn't necessarily mean that the client connection behind the
previous hop is secured. */
bool connection_secured:1;
- bool ssl_secured:1;
+ /* End client is using TLS connection. The TLS termination may be either
+ on Dovecot side or HAProxy side. FIXME: This is broken on a proxying
+ setup, because it indicates whether the previous hop connection is
+ TLS secured, not whether the original client connection is TLS
+ secured. */
+ bool end_client_tls_secured:1;
bool trusted:1;
bool ssl_servername_settings_read:1;
bool banner_sent:1;
req.flags |= LOGIN_REQUEST_FLAG_TLS_COMPRESSION;
if (client->connection_secured)
req.flags |= LOGIN_REQUEST_FLAG_CONN_SECURED;
- if (client->ssl_secured)
+ if (client->end_client_tls_secured)
req.flags |= LOGIN_REQUEST_FLAG_CONN_SSL_SECURED;
if (HAS_ALL_BITS(client->auth_flags, SASL_SERVER_AUTH_FLAG_IMPLICIT))
req.flags |= LOGIN_REQUEST_FLAG_IMPLICIT;
projects / thirdparty / dovecot / core.git / commitdiff
