diff -Naur netqmail-1.05-org/qmail-smtpd.c netqmail-1.05/qmail-smtpd.c --- netqmail-1.05-org/qmail-smtpd.c 2007-12-02 18:06:14.000000000 +0100 +++ netqmail-1.05/qmail-smtpd.c 2007-12-02 21:16:05.000000000 +0100 @@ -1055,6 +1055,10 @@ int ssl_verified = 0; const char *ssl_verify_err = 0; +stralloc clientca = {0}; +stralloc clientcrl = {0}; +stralloc servercrt = {0}; + void smtp_tls(char *arg) { if (ssl) err_unimpl(); @@ -1116,10 +1120,6 @@ } void tls_err(const char *s) { tls_out(s, ssl_error()); if (smtps) die_read(); } -# define CLIENTCA "control/clientca.pem" -# define CLIENTCRL "control/clientcrl.pem" -# define SERVERCERT "control/servercert.pem" - int tls_verify() { stralloc clients = {0}; @@ -1138,7 +1138,7 @@ * 0.9.6b client might fail with SSL_R_EXCESSIVE_MESSAGE_SIZE; * it is probably due to 0.9.6b supporting only 8k key exchange * data while the 0.9.6c release increases that limit to 100k */ - STACK_OF(X509_NAME) *sk = SSL_load_client_CA_file(CLIENTCA); + STACK_OF(X509_NAME) *sk = SSL_load_client_CA_file(clientca.s); if (sk) { SSL_set_client_CA_list(ssl, sk); SSL_set_verify(ssl, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL); @@ -1207,22 +1207,49 @@ stralloc saciphers = {0}; X509_STORE *store; X509_LOOKUP *lookup; + const char *certvar; SSL_library_init(); + certvar = env_get("SSLGROUP"); + if (certvar) { + // client ca + if(!stralloc_copys(&clientca, "control/clientca_")) die_nomem(); + if(!stralloc_cats(&clientca, certvar)) die_nomem(); + if(!stralloc_cats(&clientca, ".pem")) die_nomem(); + if(!stralloc_0(&clientca)) die_nomem(); + // client crl + if(!stralloc_copys(&clientcrl, "control/clientcrl_")) die_nomem(); + if(!stralloc_cats(&clientcrl, certvar)) die_nomem(); + if(!stralloc_cats(&clientcrl, ".pem")) die_nomem(); + if(!stralloc_0(&clientcrl)) die_nomem(); + // client crt + if(!stralloc_copys(&servercrt, "control/clientcert_")) die_nomem(); + if(!stralloc_cats(&servercrt, certvar)) die_nomem(); + if(!stralloc_cats(&servercrt, ".pem")) die_nomem(); + if(!stralloc_0(&servercrt)) die_nomem(); + } else { + if(!stralloc_copys(&clientca, "control/clientca.pem")) die_nomem(); + if(!stralloc_0(&clientca)) die_nomem(); + if(!stralloc_copys(&clientcrl, "control/clientcrl.pem")) die_nomem(); + if(!stralloc_0(&clientcrl)) die_nomem(); + if(!stralloc_copys(&servercrt, "control/servercert.pem")) die_nomem(); + if(!stralloc_0(&servercrt)) die_nomem(); + } + /* a new SSL context with the bare minimum of options */ ctx = SSL_CTX_new(SSLv23_server_method()); if (!ctx) { tls_err("unable to initialize ctx"); return; } - if (!SSL_CTX_use_certificate_chain_file(ctx, SERVERCERT)) + if (!SSL_CTX_use_certificate_chain_file(ctx, servercrt.s)) { SSL_CTX_free(ctx); tls_err("missing certificate"); return; } - SSL_CTX_load_verify_locations(ctx, CLIENTCA, NULL); + SSL_CTX_load_verify_locations(ctx, clientca.s, NULL); #if OPENSSL_VERSION_NUMBER >= 0x00907000L /* crl checking */ store = SSL_CTX_get_cert_store(ctx); if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) && - (X509_load_crl_file(lookup, CLIENTCRL, X509_FILETYPE_PEM) == 1)) + (X509_load_crl_file(lookup, clientcrl.s, X509_FILETYPE_PEM) == 1)) X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); #endif @@ -1236,7 +1263,7 @@ if (!myssl) { tls_err("unable to initialize ssl"); return; } /* this will also check whether public and private keys match */ - if (!SSL_use_RSAPrivateKey_file(myssl, SERVERCERT, SSL_FILETYPE_PEM)) + if (!SSL_use_RSAPrivateKey_file(myssl, servercrt.s, SSL_FILETYPE_PEM)) { SSL_free(myssl); tls_err("no valid RSA private key"); return; } ciphers = env_get("TLSCIPHERS"); @@ -1279,9 +1306,6 @@ dohelo(remotehost); } -# undef SERVERCERT -# undef CLIENTCA - #endif struct commands smtpcommands[] = {