diff options
| author |   beck <beck@openbsd.org> | 2020-04-10 19:28:57 +0000 |
|---|---|---|
| committer | beck <beck@openbsd.org> | 2020-04-10 19:28:57 +0000 |
| commit | 1b32f6142c9a774fb3112f5846294243755de477 (patch) | |
| tree | c3c6c14cb4703892438d1e438976f0da656c37c7 | |
| parent | bump smtpd version (diff) | |
| download | OpenSMTPD-1b32f6142c9a774fb3112f5846294243755de477.tar.xz OpenSMTPD-1b32f6142c9a774fb3112f5846294243755de477.zip | |
When failing to validate a peer TLS certificate in the MTA due to the
desired name of the MX not being present in the certificate, log that
this is he reason for the failure and the name we couldn't find in
the cert.
ok millert@ martijn@
| -rw-r--r-- | mta_session.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/mta_session.c b/mta_session.c index e109e662..8710d379 100644 --- a/mta_session.c +++ b/mta_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta_session.c,v 1.133 2020/02/24 23:54:27 millert Exp $ */ +/* $OpenBSD: mta_session.c,v 1.134 2020/04/10 19:28:57 beck Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -1664,8 +1664,12 @@ mta_cert_verify_cb(void *arg, int status) match = 0; (void)ssl_check_name(cert, s->mxname, &match); X509_free(cert); - if (!match) + if (!match) { + log_info("%016"PRIx64" mta " + "ssl_check_name: no match for '%s' in cert", + s->id, s->mxname); status = CERT_INVALID; + } } } |