From: Timo Sirainen Date: Tue, 17 May 2022 10:31:40 +0000 (+0200) Subject: lib-master: Use ssl_require_crl setting only for server-side SSL settings X-Git-Tag: 2.3.21~40 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9f903ee8793a5f4513b5ad8c054a9a48bfffcd76;p=thirdparty%2Fdovecot%2Fcore.git lib-master: Use ssl_require_crl setting only for server-side SSL settings We don't currently properly support checking CRLs when acting as SSL client. The CRL would have to be stored as part of the CAs, which isn't commonly done. This bug has been in the code ever since it was added in 30c5c1fc3608ae575f11960281d3e338b6bf7bc8, but it became more noticeable with recent changes that started using lib-master for getting all SSL client settings, e.g. 1e5324b5805bf7299cd8196f7b659fe935f027bd --- diff --git a/src/lib-master/master-service-ssl-settings.c b/src/lib-master/master-service-ssl-settings.c index 5ddf18cc8a..181a83eaa0 100644 --- a/src/lib-master/master-service-ssl-settings.c +++ b/src/lib-master/master-service-ssl-settings.c @@ -232,7 +232,6 @@ static void master_service_ssl_common_settings_to_iostream_set( set_r->verbose = ssl_set->verbose_ssl; set_r->verbose_invalid_cert = ssl_set->verbose_ssl; - set_r->skip_crl_check = !ssl_set->ssl_require_crl; set_r->prefer_server_ciphers = ssl_set->ssl_prefer_server_ciphers; set_r->compression = ssl_set->parsed_opts.compression; set_r->tickets = ssl_set->parsed_opts.tickets; @@ -251,6 +250,8 @@ void master_service_ssl_client_settings_to_iostream_set( set_r->cert.key = p_strdup_empty(pool, ssl_set->ssl_client_key); set_r->verify_remote_cert = ssl_set->ssl_client_require_valid_cert; set_r->allow_invalid_cert = !set_r->verify_remote_cert; + /* client-side CRL checking not supported currently */ + set_r->skip_crl_check = TRUE; } void master_service_ssl_server_settings_to_iostream_set( @@ -272,4 +273,7 @@ void master_service_ssl_server_settings_to_iostream_set( set_r->dh = p_strdup(pool, ssl_server_set->ssl_dh); set_r->verify_remote_cert = ssl_set->ssl_verify_client_cert; set_r->allow_invalid_cert = !set_r->verify_remote_cert; + /* ssl_require_crl is used only for checking client-provided SSL + certificate's CRL. */ + set_r->skip_crl_check = !ssl_set->ssl_require_crl; }