Commit 46e24e5baa595a3ebeb674b68130775fb4101cb1
2024-11-30T01:00:39
force checking of SSL certificate
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59
diff --git a/smtp.c b/smtp.c
index f90b090..d9a91db 100644
--- a/smtp.c
+++ b/smtp.c
@@ -1789,9 +1789,7 @@ smtp_tls_init(struct smtp *const smtp,
SSL_OP_NO_TLSv1);
SSL_CTX_set_mode(smtp->tls_ctx, SSL_MODE_AUTO_RETRY);
- if((smtp->flags & SMTP_NO_CERT_VERIFY) == 0){
- SSL_CTX_set_verify(smtp->tls_ctx, SSL_VERIFY_PEER, NULL);
- }
+ SSL_CTX_set_verify(smtp->tls_ctx, SSL_VERIFY_PEER, NULL);
/*
* Set the path to the user-provided CA file or use the default cert paths
@@ -1837,19 +1835,17 @@ smtp_tls_init(struct smtp *const smtp,
}
/* Verify matching subject in certificate. */
- if((smtp->flags & SMTP_NO_CERT_VERIFY) == 0){
- if((X509_cert_peer = SSL_get_peer_certificate(smtp->tls)) == NULL){
- SSL_CTX_free(smtp->tls_ctx);
- SSL_free(smtp->tls);
- return -1;
- }
- if(X509_check_host(X509_cert_peer, server, 0, 0, NULL) != 1){
- SSL_CTX_free(smtp->tls_ctx);
- SSL_free(smtp->tls);
- return -1;
- }
- X509_free(X509_cert_peer);
+ if((X509_cert_peer = SSL_get_peer_certificate(smtp->tls)) == NULL){
+ SSL_CTX_free(smtp->tls_ctx);
+ SSL_free(smtp->tls);
+ return -1;
+ }
+ if(X509_check_host(X509_cert_peer, server, 0, 0, NULL) != 1){
+ SSL_CTX_free(smtp->tls_ctx);
+ SSL_free(smtp->tls);
+ return -1;
}
+ X509_free(X509_cert_peer);
smtp->tls_on = 1;
return 0;
diff --git a/smtp.h b/smtp.h
index f035cc5..3f39bd7 100644
--- a/smtp.h
+++ b/smtp.h
@@ -208,8 +208,8 @@ enum smtp_flag{
* has expired or if using a self-signed certificate. Either of those
* conditions will cause the connection to fail. This option allows the
* connection to proceed even if those checks fail.
- */
SMTP_NO_CERT_VERIFY = 1 << 1
+ */
};
struct smtp;