add support for sending a TLS client certificate

This commit is contained in:
Anton Khirnov 2015-08-08 19:45:53 +02:00 committed by Oswald Buddenhagen
parent ccd1340bf4
commit 167964933f
5 changed files with 41 additions and 0 deletions

2
NEWS
View File

@ -4,6 +4,8 @@ Network timeout handling has been added.
A Maildir sub-folder naming style without extra dots has been added.
Support for TLS client certificates was added.
[1.2.0]
The 'isync' compatibility wrapper is now deprecated.

View File

@ -2779,6 +2779,20 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
}
} else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
server->sconf.system_certs = parse_bool( cfg );
} else if (!strcasecmp( "ClientCertificate", cfg->cmd )) {
server->sconf.client_certfile = expand_strdup( cfg->val );
if (access( server->sconf.client_certfile, R_OK )) {
sys_error( "%s:%d: ClientCertificate '%s'",
cfg->file, cfg->line, server->sconf.client_certfile );
cfg->err = 1;
}
} else if (!strcasecmp( "ClientKey", cfg->cmd )) {
server->sconf.client_keyfile = expand_strdup( cfg->val );
if (access( server->sconf.client_keyfile, R_OK )) {
sys_error( "%s:%d: ClientKey '%s'",
cfg->file, cfg->line, server->sconf.client_keyfile );
cfg->err = 1;
}
} else if (!strcasecmp( "SSLType", cfg->cmd )) {
if (!strcasecmp( "None", cfg->val )) {
server->ssl_type = SSL_None;

View File

@ -378,6 +378,18 @@ Note that the system's default certificate store is always used
and should not be specified here.
..
.TP
\fBClientCertificate\fR \fIpath\fR
File containing a client certificate to send to the server.
\fBClientKey\fR should also be specified.
.br
Note that client certificate verification is usually not required,
so it is unlikely that you need this option.
..
.TP
\fBClientKey\fR \fIpath\fR
File containing the private key corresponding to \fBClientCertificate\fR.
..
.TP
\fBPipelineDepth\fR \fIdepth\fR
Maximum number of IMAP commands which can be simultaneously in flight.
Setting this to \fI1\fR disables pipelining.

View File

@ -230,6 +230,17 @@ init_ssl_ctx( const server_conf_t *conf )
SSL_CTX_set_verify( mconf->SSLContext, SSL_VERIFY_NONE, NULL );
if (conf->client_certfile && !SSL_CTX_use_certificate_chain_file( mconf->SSLContext, conf->client_certfile)) {
error( "Error while loading client certificate file '%s': %s\n",
conf->client_certfile, ERR_error_string( ERR_get_error(), 0 ) );
return 0;
}
if (conf->client_keyfile && !SSL_CTX_use_PrivateKey_file( mconf->SSLContext, conf->client_keyfile, SSL_FILETYPE_PEM)) {
error( "Error while loading client private key '%s': %s\n",
conf->client_keyfile, ERR_error_string( ERR_get_error(), 0 ) );
return 0;
}
mconf->ssl_ctx_valid = 1;
return 1;
}

View File

@ -50,6 +50,8 @@ typedef struct server_conf {
int timeout;
#ifdef HAVE_LIBSSL
char *cert_file;
char *client_certfile;
char *client_keyfile;
char system_certs;
char ssl_versions;