On Sat, Aug 08, 2015 at 07:45:53PM +0200, Anton Khirnov wrote:
> ---
> src/drv_imap.c | 14 ++++++++++++++
> src/mbsync.1 | 10 ++++++++++
> src/socket.c | 13 +++++++++++++
> src/socket.h | 2 ++
> 4 files changed, 39 insertions(+)
>
cool, thanks.
i made a few adjustments. notably, i reduced the interweaving with code
related with server certificates (i think it's logically pretty much
orthogonal), extended the man page, and added a NEWS item.
i'm too lazy to set up a test server configuration for that, so please
check whether it still works. :D
>From 167964933f42d32f1cc2a119453e71c5048e86e2 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <an...@khirnov.net>
Date: Sat, 8 Aug 2015 19:45:53 +0200
Subject: [PATCH] add support for sending a TLS client certificate
---
NEWS | 2 ++
src/drv_imap.c | 14 ++++++++++++++
src/mbsync.1 | 12 ++++++++++++
src/socket.c | 11 +++++++++++
src/socket.h | 2 ++
5 files changed, 41 insertions(+)
diff --git a/NEWS b/NEWS
index 5ba9777..5c74ce1 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,8 @@ Network timeout handling has been added.
A Maildir sub-folder naming style without extra dots has been added.
+Support for TLS client certificates was added.
+
[1.2.0]
The 'isync' compatibility wrapper is now deprecated.
diff --git a/src/drv_imap.c b/src/drv_imap.c
index f27e58e..86dd22c 100644
--- a/src/drv_imap.c
+++ b/src/drv_imap.c
@@ -2779,6 +2779,20 @@ imap_parse_store( conffile_t *cfg, store_conf_t **storep )
}
} else if (!strcasecmp( "SystemCertificates", cfg->cmd )) {
server->sconf.system_certs = parse_bool( cfg );
+ } else if (!strcasecmp( "ClientCertificate", cfg->cmd )) {
+ server->sconf.client_certfile = expand_strdup( cfg->val );
+ if (access( server->sconf.client_certfile, R_OK )) {
+ sys_error( "%s:%d: ClientCertificate '%s'",
+ cfg->file, cfg->line, server->sconf.client_certfile );
+ cfg->err = 1;
+ }
+ } else if (!strcasecmp( "ClientKey", cfg->cmd )) {
+ server->sconf.client_keyfile = expand_strdup( cfg->val );
+ if (access( server->sconf.client_keyfile, R_OK )) {
+ sys_error( "%s:%d: ClientKey '%s'",
+ cfg->file, cfg->line, server->sconf.client_keyfile );
+ cfg->err = 1;
+ }
} else if (!strcasecmp( "SSLType", cfg->cmd )) {
if (!strcasecmp( "None", cfg->val )) {
server->ssl_type = SSL_None;
diff --git a/src/mbsync.1 b/src/mbsync.1
index cb190a2..daa8d41 100644
--- a/src/mbsync.1
+++ b/src/mbsync.1
@@ -378,6 +378,18 @@ Note that the system's default certificate store is always used
and should not be specified here.
..
.TP
+\fBClientCertificate\fR \fIpath\fR
+File containing a client certificate to send to the server.
+\fBClientKey\fR should also be specified.
+.br
+Note that client certificate verification is usually not required,
+so it is unlikely that you need this option.
+..
+.TP
+\fBClientKey\fR \fIpath\fR
+File containing the private key corresponding to \fBClientCertificate\fR.
+..
+.TP
\fBPipelineDepth\fR \fIdepth\fR
Maximum number of IMAP commands which can be simultaneously in flight.
Setting this to \fI1\fR disables pipelining.
diff --git a/src/socket.c b/src/socket.c
index 27bc8cd..33372d4 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -230,6 +230,17 @@ init_ssl_ctx( const server_conf_t *conf )
SSL_CTX_set_verify( mconf->SSLContext, SSL_VERIFY_NONE, NULL );
+ if (conf->client_certfile && !SSL_CTX_use_certificate_chain_file( mconf->SSLContext, conf->client_certfile)) {
+ error( "Error while loading client certificate file '%s': %s\n",
+ conf->client_certfile, ERR_error_string( ERR_get_error(), 0 ) );
+ return 0;
+ }
+ if (conf->client_keyfile && !SSL_CTX_use_PrivateKey_file( mconf->SSLContext, conf->client_keyfile, SSL_FILETYPE_PEM)) {
+ error( "Error while loading client private key '%s': %s\n",
+ conf->client_keyfile, ERR_error_string( ERR_get_error(), 0 ) );
+ return 0;
+ }
+
mconf->ssl_ctx_valid = 1;
return 1;
}
diff --git a/src/socket.h b/src/socket.h
index bbbc56b..1a089cd 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -50,6 +50,8 @@ typedef struct server_conf {
int timeout;
#ifdef HAVE_LIBSSL
char *cert_file;
+ char *client_certfile;
+ char *client_keyfile;
char system_certs;
char ssl_versions;
--
2.3.0.1.g6d95ec2
------------------------------------------------------------------------------
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
