When failing to validate a peer TLS certificate in the MTA due to the

desired name of the MX not being present in the certificate, log that this is he reason for the failure and the name we couldn't find in the cert. ok millert@ martijn@
author: beck <beck@openbsd.org> 2020-04-10 19:28:57 +0000
committer: beck <beck@openbsd.org> 2020-04-10 19:28:57 +0000
commit: 3bb23d5394a41073f59fe310926f9b2c35d63874 (patch)
tree: 61493b69a6d31357539890edac972b4c7765a835 /usr.sbin/smtpd
parent: sync cert.pem with Mozilla's root ca list, ok beck@ (diff)
download: wireguard-openbsd-3bb23d5394a41073f59fe310926f9b2c35d63874.tar.xz
wireguard-openbsd-3bb23d5394a41073f59fe310926f9b2c35d63874.zip
1 files changed, 6 insertions, 2 deletions
diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c
index e109e662a10..8710d379f6e 100644
--- a/usr.sbin/smtpd/mta_session.c
+++ b/usr.sbin/smtpd/mta_session.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: mta_session.c,v 1.133 2020/02/24 23:54:27 millert Exp $	*/
+/*	$OpenBSD: mta_session.c,v 1.134 2020/04/10 19:28:57 beck Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -1664,8 +1664,12 @@ mta_cert_verify_cb(void *arg, int status)
 			match = 0;
 			(void)ssl_check_name(cert, s->mxname, &match);
 			X509_free(cert);
-			if (!match)
+			if (!match) {
+				log_info("%016"PRIx64" mta "
+				    "ssl_check_name: no match for '%s' in cert",
+				    s->id, s->mxname);
 				status = CERT_INVALID;
+			}
 		}
 	}
author	beck <beck@openbsd.org>	2020-04-10 19:28:57 +0000
committer	beck <beck@openbsd.org>	2020-04-10 19:28:57 +0000
commit	3bb23d5394a41073f59fe310926f9b2c35d63874 (patch)
tree	61493b69a6d31357539890edac972b4c7765a835 /usr.sbin/smtpd
parent	sync cert.pem with Mozilla's root ca list, ok beck@ (diff)
download	wireguard-openbsd-3bb23d5394a41073f59fe310926f9b2c35d63874.tar.xz wireguard-openbsd-3bb23d5394a41073f59fe310926f9b2c35d63874.zip