When a CertificateFile is provided, do not trust the system store by
default, since this is not the expected behavior for X.509 certificates.
SystemCertificates can still be explicitly allowed/disallowed to restore
the previous behavior.
---
NEWS | 3 +++
src/drv_imap.c | 2 +-
src/mbsync.1 | 13 ++++++-------
src/socket.c | 9 +++++----
4 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/NEWS b/NEWS
index ebb88a4..f6c7e4a 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,9 @@ A Maildir sub-folder naming style without extra dots has been
added.
Support for TLS client certificates was added.
+System certificates are no longer trusted by default when a CertificateFile has
+been explicitly specified.
+
Support for recovering from baseless UID validity changes was added.
[1.2.0]
diff --git a/src/drv_imap.c b/src/drv_imap.c
index e24c7d8..1290403 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -2822,7 +2822,7 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
#ifdef HAVE_LIBSSL
server->ssl_type = -1;
server->sconf.ssl_versions = -1;
- server->sconf.system_certs = 1;
+ server->sconf.system_certs = -1;
#endif
server->max_in_progress = INT_MAX;
diff --git a/src/mbsync.1 b/src/mbsync.1
index 627181e..b98720c 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -369,17 +369,16 @@ servers, \fBTLSv1\fR is the default.
.TP
\fBSystemCertificates\fR \fByes\fR|\fBno\fR
Whether the system's default root cerificate store should be loaded.
-(Default: \fByes\fR)
+Defaults to yes, unless a \fBCertificateFile\fR has been provided.
..
.TP
\fBCertificateFile\fR \fIpath\fR
-File containing additional X.509 certificates used to verify server
-identities. Directly matched peer certificates are always trusted,
-regardless of validity.
+File containing X.509 certificates used to verify server identities. Directly
+matched peer certificates are always trusted, regardless of validity.
.br
-Note that the system's default certificate store is always used
-(unless \fBSystemCertificates\fR is disabled)
-and should not be specified here.
+Note that the system's default certificate store must be manually enabled
+(using \fBSystemCertificates yes\fR) if system certificates must be trusted in
+addition to the specified certificate.
..
.TP
\fBClientCertificate\fR \fIpath\fR
diff --git a/src/socket.c b/src/socket.c
index 6ab3ce4..f573e6b 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -227,10 +227,11 @@ init_ssl_ctx( const server_conf_t *conf )
return 0;
}
mconf->trusted_certs = (_STACK *)sk_X509_OBJECT_dup(
X509_STORE_get0_objects( SSL_CTX_get_cert_store( mconf->SSLContext ) ) );
- if (mconf->system_certs && !SSL_CTX_set_default_verify_paths(
mconf->SSLContext ))
- warn( "Warning: Unable to load default certificate files: %s\n",
- ERR_error_string( ERR_get_error(), 0 ) );
-
+ if ((mconf->system_certs < 0 && !conf->cert_file) ||
mconf->system_certs > 0) {
+ if (!SSL_CTX_set_default_verify_paths( mconf->SSLContext ))
+ warn( "Warning: Unable to load default certificate
files: %s\n",
+ ERR_error_string( ERR_get_error(), 0 ) );
+ }
SSL_CTX_set_verify( mconf->SSLContext, SSL_VERIFY_NONE, NULL );
if (conf->client_certfile && !SSL_CTX_use_certificate_chain_file(
mconf->SSLContext, conf->client_certfile)) {
--
2.11.0
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
isync-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/isync-devel
