From: Timo Sirainen Date: Fri, 7 Apr 2017 13:13:13 +0000 (+0300) Subject: lib-ssl-iostream: Don't require SSL CA certs if allow_invalid_cert=TRUE X-Git-Tag: 2.3.0.rc1~1770 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0fab9e25db12d9e0511f91b65c21cbd04f568f8a;p=thirdparty%2Fdovecot%2Fcore.git lib-ssl-iostream: Don't require SSL CA certs if allow_invalid_cert=TRUE This happened only when verify_remote_cert was also TRUE. But this behavior now allows verifying the cert without actually requiring it to be valid. --- diff --git a/src/lib-ssl-iostream/iostream-openssl-context.c b/src/lib-ssl-iostream/iostream-openssl-context.c index 36b960c777..229a880ffe 100644 --- a/src/lib-ssl-iostream/iostream-openssl-context.c +++ b/src/lib-ssl-iostream/iostream-openssl-context.c @@ -342,7 +342,7 @@ ssl_iostream_context_load_ca(struct ssl_iostream_context *ctx, have_ca = TRUE; } - if (!have_ca) { + if (!have_ca && !set->allow_invalid_cert) { *error_r = !ctx->client_ctx ? "Can't verify remote client certs without CA (ssl_ca setting)" : "Can't verify remote server certs without trusted CAs (ssl_client_ca_* settings)";