On Fri, Nov 25, 2022 at 09:35:28AM -0500, Wietse Venema wrote:
> Viktor Dukhovni:
> > However, in this case the issue is a minor oversight in the Postfix TLS
> > client code. The intended logging behaviour does not happen. Patch
> > below:
>
> Is there an equivalent for the still supported Postfix version 3.5?
> That would also fix Postfix version 3.4 which has the same code.
An alternative (equivalent) form of the patch for 3.6+ could be the
below, which is perhaps closer to the 3.5 logic:
--- src/tls/tls_client.c
+++ src/tls/tls_client.c
@@ -324,6 +324,7 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext,
X509 *peercert,
* checks are now performed internally in OpenSSL.
*/
if (SSL_get_verify_result(TLScontext->con) == X509_V_OK) {
+ TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
if (TLScontext->must_fail) {
msg_panic("%s: cert valid despite trust init failure",
TLScontext->namaddr);
@@ -352,8 +353,7 @@ static void verify_extract_name(TLS_SESS_STATE *TLScontext,
X509 *peercert,
TLScontext->namaddr, peername);
tls_dane_log(TLScontext);
}
- } else
- TLScontext->peer_status |= TLS_CERT_FLAG_TRUSTED;
+ }
}
/*
--
Viktor.
