old_settings_handle_root(struct config_parser_context *ctx,
const char *key, const char *value)
{
- const char *p, *suffix;
+ const char *suffix;
size_t len;
if (strcmp(key, "base_dir") == 0) {
old_set_parser_apply(ctx, CONFIG_LINE_TYPE_KEYVALUE, key, value);
return TRUE;
}
- if (strcmp(key, "ssl_ca_file") == 0) {
- if (*value == '\0')
- return TRUE;
- p = t_strdup_until(key, strrchr(key, '_'));
- obsolete(ctx, "%s has been replaced by %s = <file", key, p);
- old_set_parser_apply(ctx, CONFIG_LINE_TYPE_KEYFILE, p, value);
- return TRUE;
- }
if (strcmp(key, "ssl_disable") == 0) {
if (strcasecmp(value, "yes") == 0)
value = "no";
ber_str2bv(conn->set.password, strlen(conn->set.password), 0, &conn->cred);
}
/* cannot use these */
- conn->ssl_set.ca = NULL;
+ i_zero(&conn->ssl_set.ca);
conn->ssl_set.cert.key_password = NULL;
conn->ssl_set.cert_username_field = NULL;
conn->ssl_set.crypto_device = NULL;
Otherwise the SMTP SNI mechanism will break when looking up the
relevant settings. */
const char *const settings[] = {
- "ssl_ca", server_set->ssl->ca,
+ "ssl_ca_file", settings_file_get_value(unsafe_data_stack_pool,
+ &server_set->ssl->ca),
"ssl_cert_file", settings_file_get_value(unsafe_data_stack_pool,
&server_set->ssl->cert.cert),
"ssl_key_file", settings_file_get_value(unsafe_data_stack_pool,
const char *ca_file, *ca_dir;
bool have_ca = FALSE;
- if (set->ca != NULL && set->ca[0] != '\0') {
+ if (set->ca.content != NULL && set->ca.content[0] != '\0') {
store = SSL_CTX_get_cert_store(ctx->ssl_ctx);
- if (load_ca(store, set->ca, &xnames) < 0) {
- *error_r = t_strdup_printf("Couldn't parse ssl_ca: %s",
+ if (load_ca(store, set->ca.content, &xnames) < 0) {
+ *error_r = t_strdup_printf("Couldn't parse ssl_ca_file: %s",
openssl_iostream_error());
return -1;
}
return -1;
}
} else if (!have_ca) {
- *error_r = "Can't verify remote client certs without CA (ssl_ca setting)";
+ *error_r = "Can't verify remote client certs without CA (ssl_ca_file setting)";
return -1;
}
return 0;
X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)), certname,
ssl_io->ctx->client_ctx ?
"ssl_client_ca_* settings?" :
- "ssl_ca setting?"));
+ "ssl_ca_file setting?"));
} else {
e_debug(ssl_io->event, "Received valid SSL certificate: %s", certname);
}
{
i_zero(test_set);
test_set->pool = null_pool;
- test_set->ca = test_ca_cert;
+ test_set->ca.content = test_ca_cert;
test_set->cert.cert.content = test_server_cert;
test_set->cert.key.content = test_server_key;
test_set->dh.content = test_server_dh;
{
i_zero(test_set);
test_set->pool = null_pool;
- test_set->ca = test_ca_cert;
+ test_set->ca.content = test_ca_cert;
test_set->skip_crl_check = TRUE;
}
set2->alt_cert.key_password))
return FALSE;
- if (!quick_strcmp(set1->ca, set2->ca) ||
+ if (!quick_strcmp(set1->ca.content, set2->ca.content) ||
!quick_strcmp(set1->ca_file, set2->ca_file) ||
!quick_strcmp(set1->ca_dir, set2->ca_dir))
return FALSE;
const char *cipher_list; /* TLSv1.2 and below only */
const char *ciphersuites; /* TLSv1.3 only */
const char *curve_list;
- const char *ca, *ca_file, *ca_dir;
+ struct settings_file ca;
+ const char *ca_file, *ca_dir;
struct ssl_iostream_cert cert;
/* alternative cert is for providing certificate using
different key algorithm */
static const struct setting_define ssl_server_setting_defines[] = {
DEF(ENUM, ssl),
- DEF(STR, ssl_ca),
+ DEF(FILE, ssl_ca_file),
DEF(FILE, ssl_cert_file),
DEF(FILE, ssl_key_file),
DEF(FILE, ssl_alt_cert_file),
static const struct ssl_server_settings ssl_server_default_settings = {
.ssl = "yes:no:required",
- .ssl_ca = "",
+ .ssl_ca_file = "",
.ssl_cert_file = "",
.ssl_key_file = "",
.ssl_alt_cert_file = "",
return TRUE;
}
- if (set->ssl_request_client_cert && *set->ssl_ca == '\0') {
- *error_r = "ssl_request_client_cert set, but ssl_ca not";
+ if (set->ssl_request_client_cert && *set->ssl_ca_file == '\0') {
+ *error_r = "ssl_request_client_cert set, but ssl_ca_file not";
return FALSE;
}
return TRUE;
struct ssl_iostream_settings *set =
ssl_common_settings_to_iostream_set(ssl_set);
- set->ca = ssl_set->ssl_client_ca;
+ set->ca.content = ssl_set->ssl_client_ca;
set->ca_file = ssl_set->ssl_client_ca_file;
set->ca_dir = ssl_set->ssl_client_ca_dir;
settings_file_get(ssl_set->ssl_client_cert_file,
ssl_common_settings_to_iostream_set(ssl_set);
pool_add_external_ref(set->pool, ssl_server_set->pool);
- set->ca = ssl_server_set->ssl_ca;
+ settings_file_get(ssl_server_set->ssl_ca_file, set->pool, &set->ca);
settings_file_get(ssl_server_set->ssl_cert_file,
set->pool, &set->cert.cert);
settings_file_get(ssl_server_set->ssl_key_file,
pool_t pool;
const char *ssl;
- const char *ssl_ca;
+ const char *ssl_ca_file;
const char *ssl_cert_file;
const char *ssl_alt_cert_file;
const char *ssl_key_file;
ssl_iostream_test_settings_server(&server_set);
ssl_iostream_test_settings_client(&client_set);
client_set.verify_remote_cert = TRUE;
- client_set.ca = NULL;
+ i_zero(&client_set.ca);
test_expect_error_string("client: Received invalid SSL certificate");
test_assert_idx(test_iostream_ssl_handshake_real(&server_set, &client_set,
"127.0.0.1") != 0, idx);
projects / thirdparty / dovecot / core.git / commitdiff
