add support for sending a TLS client certificate
This commit is contained in:
parent
ccd1340bf4
commit
167964933f
2
NEWS
2
NEWS
|
@ -4,6 +4,8 @@ Network timeout handling has been added.
|
||||||
|
|
||||||
A Maildir sub-folder naming style without extra dots has been added.
|
A Maildir sub-folder naming style without extra dots has been added.
|
||||||
|
|
||||||
|
Support for TLS client certificates was added.
|
||||||
|
|
||||||
[1.2.0]
|
[1.2.0]
|
||||||
|
|
||||||
The 'isync' compatibility wrapper is now deprecated.
|
The 'isync' compatibility wrapper is now deprecated.
|
||||||
|
|
|
@ -2779,6 +2779,20 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
|
||||||
}
|
}
|
||||||
} else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
|
} else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
|
||||||
server->sconf.system_certs = parse_bool( cfg );
|
server->sconf.system_certs = parse_bool( cfg );
|
||||||
|
} else if (!strcasecmp( "ClientCertificate", cfg->cmd )) {
|
||||||
|
server->sconf.client_certfile = expand_strdup( cfg->val );
|
||||||
|
if (access( server->sconf.client_certfile, R_OK )) {
|
||||||
|
sys_error( "%s:%d: ClientCertificate '%s'",
|
||||||
|
cfg->file, cfg->line, server->sconf.client_certfile );
|
||||||
|
cfg->err = 1;
|
||||||
|
}
|
||||||
|
} else if (!strcasecmp( "ClientKey", cfg->cmd )) {
|
||||||
|
server->sconf.client_keyfile = expand_strdup( cfg->val );
|
||||||
|
if (access( server->sconf.client_keyfile, R_OK )) {
|
||||||
|
sys_error( "%s:%d: ClientKey '%s'",
|
||||||
|
cfg->file, cfg->line, server->sconf.client_keyfile );
|
||||||
|
cfg->err = 1;
|
||||||
|
}
|
||||||
} else if (!strcasecmp( "SSLType", cfg->cmd )) {
|
} else if (!strcasecmp( "SSLType", cfg->cmd )) {
|
||||||
if (!strcasecmp( "None", cfg->val )) {
|
if (!strcasecmp( "None", cfg->val )) {
|
||||||
server->ssl_type = SSL_None;
|
server->ssl_type = SSL_None;
|
||||||
|
|
12
src/mbsync.1
12
src/mbsync.1
|
@ -378,6 +378,18 @@ Note that the system's default certificate store is always used
|
||||||
and should not be specified here.
|
and should not be specified here.
|
||||||
..
|
..
|
||||||
.TP
|
.TP
|
||||||
|
\fBClientCertificate\fR \fIpath\fR
|
||||||
|
File containing a client certificate to send to the server.
|
||||||
|
\fBClientKey\fR should also be specified.
|
||||||
|
.br
|
||||||
|
Note that client certificate verification is usually not required,
|
||||||
|
so it is unlikely that you need this option.
|
||||||
|
..
|
||||||
|
.TP
|
||||||
|
\fBClientKey\fR \fIpath\fR
|
||||||
|
File containing the private key corresponding to \fBClientCertificate\fR.
|
||||||
|
..
|
||||||
|
.TP
|
||||||
\fBPipelineDepth\fR \fIdepth\fR
|
\fBPipelineDepth\fR \fIdepth\fR
|
||||||
Maximum number of IMAP commands which can be simultaneously in flight.
|
Maximum number of IMAP commands which can be simultaneously in flight.
|
||||||
Setting this to \fI1\fR disables pipelining.
|
Setting this to \fI1\fR disables pipelining.
|
||||||
|
|
11
src/socket.c
11
src/socket.c
|
@ -230,6 +230,17 @@ init_ssl_ctx( const server_conf_t *conf )
|
||||||
|
|
||||||
SSL_CTX_set_verify( mconf->SSLContext, SSL_VERIFY_NONE, NULL );
|
SSL_CTX_set_verify( mconf->SSLContext, SSL_VERIFY_NONE, NULL );
|
||||||
|
|
||||||
|
if (conf->client_certfile && !SSL_CTX_use_certificate_chain_file( mconf->SSLContext, conf->client_certfile)) {
|
||||||
|
error( "Error while loading client certificate file '%s': %s\n",
|
||||||
|
conf->client_certfile, ERR_error_string( ERR_get_error(), 0 ) );
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
if (conf->client_keyfile && !SSL_CTX_use_PrivateKey_file( mconf->SSLContext, conf->client_keyfile, SSL_FILETYPE_PEM)) {
|
||||||
|
error( "Error while loading client private key '%s': %s\n",
|
||||||
|
conf->client_keyfile, ERR_error_string( ERR_get_error(), 0 ) );
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
mconf->ssl_ctx_valid = 1;
|
mconf->ssl_ctx_valid = 1;
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -50,6 +50,8 @@ typedef struct server_conf {
|
||||||
int timeout;
|
int timeout;
|
||||||
#ifdef HAVE_LIBSSL
|
#ifdef HAVE_LIBSSL
|
||||||
char *cert_file;
|
char *cert_file;
|
||||||
|
char *client_certfile;
|
||||||
|
char *client_keyfile;
|
||||||
char system_certs;
|
char system_certs;
|
||||||
char ssl_versions;
|
char ssl_versions;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user