} thread_data;
#endif
+#if GNUTLS_VERSION_NUMBER < 0x030400
+#define DEFAULT_GNUTLS_PRIORITY "NORMAL:-VERS-SSL3.0"
+#else
+#define DEFAULT_GNUTLS_PRIORITY "NORMAL"
+#endif
+
#if GNUTLS_VERSION_NUMBER <= 0x020c00
static int gnutls_client_cert_cb(gnutls_session_t session,
const gnutls_datum_t *req_ca_rdn, int nreqs,
hookdata.is_smtp = sockinfo->is_smtp;
hooks_invoke(SSLCERT_GET_CLIENT_CERT_HOOKLIST, &hookdata);
- if (hookdata.cert_path == NULL)
+ if (hookdata.cert_path == NULL) {
+ g_free(hookdata.password);
return 0;
+ }
sockinfo->client_crt = ssl_certificate_get_x509_from_pem_file(hookdata.cert_path);
sockinfo->client_key = ssl_certificate_get_pkey_from_pem_file(hookdata.cert_path);
st->cert.x509 = &(sockinfo->client_crt);
st->key.x509 = sockinfo->client_key;
st->deinit_all = 0;
+ g_free(hookdata.password);
return 0;
}
+ g_free(hookdata.password);
return 0;
}
const gchar *claws_ssl_get_cert_file(void)
{
+#ifndef G_OS_WIN32
const char *cert_files[]={
+ "/etc/ssl/cert.pem",
"/etc/pki/tls/certs/ca-bundle.crt",
"/etc/certs/ca-bundle.crt",
"/etc/ssl/ca-bundle.pem",
"/usr/lib/ssl/cert.pem",
NULL};
int i;
-
+#endif
+
+ /* We honor this environment variable on all platforms. */
if (g_getenv("SSL_CERT_FILE"))
return g_getenv("SSL_CERT_FILE");
+
#ifndef G_OS_WIN32
for (i = 0; cert_files[i]; i++) {
if (is_file_exist(cert_files[i]))
}
return NULL;
#else
- return get_cert_file();
+ return w32_get_cert_file();
#endif
}
#endif
}
-gboolean ssl_init_socket(SockInfo *sockinfo)
-{
- return ssl_init_socket_with_method(sockinfo, SSL_METHOD_SSLv23);
-}
-
gnutls_x509_crt_t *ssl_get_certificate_chain(gnutls_session_t session, gint *list_len)
{
const gnutls_datum_t *raw_cert_list;
if (raw_cert_list && gnutls_certificate_type_get(session) == GNUTLS_CRT_X509) {
int i = 0;
+ if (*list_len > 128)
+ *list_len = 128;
+
certs = g_malloc(sizeof(gnutls_x509_crt_t) * (*list_len));
for(i = 0 ; i < (*list_len) ; i++) {
gnutls_x509_crt_init(&certs[i]);
r = gnutls_x509_crt_import(certs[i], &raw_cert_list[i], GNUTLS_X509_FMT_DER);
if (r < 0) {
- g_warning("cert get failure: %d %s\n", r, gnutls_strerror(r));
+ g_warning("cert get failure: %d %s", r, gnutls_strerror(r));
result = FALSE;
i--;
return certs;
}
-gboolean ssl_init_socket_with_method(SockInfo *sockinfo, SSLMethod method)
+gboolean ssl_init_socket(SockInfo *sockinfo)
{
gnutls_session_t session;
int r, i;
sockinfo->gnutls_priority, r);
}
else {
- if (method == 0)
- gnutls_priority_set_direct(session, "NORMAL:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2", NULL);
- else
- gnutls_priority_set_direct(session, "NORMAL", NULL);
+ gnutls_priority_set_direct(session, DEFAULT_GNUTLS_PRIORITY, NULL);
}
+
gnutls_record_disable_padding(session);
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
if (claws_ssl_get_cert_file()) {
r = gnutls_certificate_set_x509_trust_file(xcred, claws_ssl_get_cert_file(), GNUTLS_X509_FMT_PEM);
if (r < 0)
- g_warning("Can't read SSL_CERT_FILE %s: %s\n",
+ g_warning("Can't read SSL_CERT_FILE '%s': %s",
claws_ssl_get_cert_file(),
gnutls_strerror(r));
} else {