On Mon, Feb 18, 2019 at 02:07:29AM -0500, Viktor Dukhovni wrote:
> Feb 17 22:08:45 mail postfix/tlsproxy[23261]:
> sys1.mmini.de[5.9.100.168]:25: depth=1 verify=0
> subject=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>
> These callbacks are NOT expected.
diff --git a/src/tls/tls_misc.c b/src/tls/tls_misc.c
index 01dda8a97..a4a88a392 100644
--- a/src/tls/tls_misc.c
+++ b/src/tls/tls_misc.c
@@ -772,6 +772,8 @@ void tls_pre_jail_init(TLS_ROLE role)
};
int flags;
+ tls_param_init();
+
/* Nothing for clients at this time */
if (role != TLS_ROLE_SERVER)
return;
diff --git a/src/tlsproxy/tlsproxy.c b/src/tlsproxy/tlsproxy.c
index 2c8714cb4..91eb4a9bc 100644
--- a/src/tlsproxy/tlsproxy.c
+++ b/src/tlsproxy/tlsproxy.c
@@ -947,7 +947,12 @@ static int tlsp_client_start_pre_handshake(TLSP_STATE
*state)
{
state->client_start_props->ctx = state->appl_state;
state->client_start_props->fd = state->ciphertext_fd;
- state->tls_context = tls_client_start(state->client_start_props);
+ if (!TLS_DANE_BASED(state->client_start_props->tls_level)
+ || tls_dane_avail())
+ state->tls_context = tls_client_start(state->client_start_props);
+ else
+ msg_warn("%s: DANE requested, but not available",
+ state->client_start_props->namaddr);
if (state->tls_context != 0)
return (TLSP_STAT_OK);
These address missing DANE and TLS library initialization in the
TLS proxy. Another issue remains, in that tlsproxy(8) wants
unconditional server-side support before it is willing to be a
client proxy, and therefore also wants server certificates.
We should probably split its pre_jail initialization into separate
client-side and server-side functions, so that the server side can
return with nothing to do, and yet allow the client side to be
activated. And presumably the converse, and then turn away unsupported
requests from servers or clients at run-time, if the corresponding
feature is not enabled.
--
Viktor.
