On Sun, 10 May 2015 23:56:36 -0700, Gilles Chehade <gil...@poolp.org>
wrote:
I have spotted a logic error which explains your issue.
Without this, you cannot fallback to the default CA, you have to declare
your CA explicitely.
Can you apply the following diff ?
diff --git a/smtpd/lka.c b/smtpd/lka.c
index 31b7176..b621e10 100644
--- a/smtpd/lka.c
+++ b/smtpd/lka.c
@@ -689,7 +689,10 @@ lka_certificate_verify_resume(enum imsg_type type,
struct ca_vrfy_req_msg *req)
if (req->fallback)
sca = dict_get(env->sc_ca_dict, "*");
cafile = sca ? sca->ca_cert_file : CA_FILE;
- if (sca == NULL || ! lka_X509_verify(req, cafile, NULL))
+
+ if (sca == NULL && !req->fallback)
+ resp.status = CA_FAIL;
+ else if (! lka_X509_verify(req, cafile, NULL))
resp.status = CA_FAIL;
else
resp.status = CA_OK;
I applied the patch and now server certificate verification is working as
expected, thank you.
--
You received this mail because you are subscribed to misc@opensmtpd.org
To unsubscribe, send a mail to: misc+unsubscr...@opensmtpd.org
