Dear Viktor, dear Wietse,
Am 25.11.22 um 17:25 schrieb Viktor Dukhovni:
On Fri, Nov 25, 2022 at 09:35:28AM -0500, Wietse Venema wrote:
Viktor Dukhovni:
However, in this case the issue is a minor oversight in the Postfix TLS
client code. The intended logging behaviour does not happen. Patch
below:
Is there an equivalent for the still supported Postfix version 3.5?
That would also fix Postfix version 3.4 which has the same code.
An alternative (equivalent) form of the patch for 3.6+ could be the
below, which is perhaps closer to the 3.5 logic:
--- src/tls/tls_client.c
+++ src/tls/tls_client.c
@@ -324,6 +324,7 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext,
X509 *peercert,
* checks are now performed internally in OpenSSL.
*/
if (SSL_get_verify_result(TLScontext->con) == X509_V_OK) {
+ TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
if (TLScontext->must_fail) {
msg_panic("%s: cert valid despite trust init failure",
TLScontext->namaddr);
@@ -352,8 +353,7 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext,
X509 *peercert,
TLScontext->namaddr, peername);
tls_dane_log(TLScontext);
}
- } else
- TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
+ }
}
/*
Just a late note, that this diff was applied in on 20221125. Thank you all.
Kind regards,
Paul
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
