Remove client certificate left overs

author: manuel <manuel@mausz.at> 2019-02-01 15:09:51 +0100
committer: manuel <manuel@mausz.at> 2019-02-01 15:09:51 +0100
commit: 9b5d3559fd8b201d62359c027b3c15faccdcce14 (patch)
tree: 3dd6d86f8de308cacfd9412cd4593701984829e2
parent: 5568b4be97963627154c8f0c6f21a9af70ca7b8a (diff)
download: qmail-9b5d3559fd8b201d62359c027b3c15faccdcce14.tar.gz
qmail-9b5d3559fd8b201d62359c027b3c15faccdcce14.tar.bz2
qmail-9b5d3559fd8b201d62359c027b3c15faccdcce14.zip
2 files changed, 0 insertions, 24 deletions
diff --git a/qmail-smtpd.8 b/qmail-smtpd.8
index 5920dd9..849599c 100644
--- a/qmail-smtpd.8
+++ b/qmail-smtpd.8
@@ -124,18 +124,6 @@ environment variable is not set.
 For more information, please have a look at doc/README.qregex.
 .TP 5
-.I clientca.pem
-A list of Certifying Authority (CA) certificates that are used to verify
-the client-presented certificates during a TLS-encrypted session.
-.TP 5
-.I clientcrl.pem
-A list of Certificate Revocation Lists (CRLs). If present it
-should contain the CRLs of the CAs in 
-.I clientca.pem 
-and client certs will be checked for revocation.
-.TP 5
 .I badrcptto
 Unacceptable envelope recipient addresses.
 .B qmail-smtpd
diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index 8ae6af3..b2c0263 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -68,8 +68,6 @@ char *relayclient;
 # include "tls.h"
 # include "ssl_timeoutio.h"
-# define CLIENTCA "control/clientca.pem"
-# define CLIENTCRL "control/clientcrl.pem"
 # define SERVERCERT "control/servercert.pem"
 void tls_init();
@@ -1441,16 +1439,6 @@ void tls_init()
  if (!SSL_CTX_use_certificate_chain_file(ctx, servercert))
    { SSL_CTX_free(ctx); tls_err("missing certificate"); return; }
-  SSL_CTX_load_verify_locations(ctx, CLIENTCA, NULL);
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-  /* crl checking */
-  store = SSL_CTX_get_cert_store(ctx);
-  if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) &&
-      (X509_load_crl_file(lookup, CLIENTCRL, X509_FILETYPE_PEM) == 1))
-    X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
-                                X509_V_FLAG_CRL_CHECK_ALL);
-#endif
  /* set the callback here; SSL_set_verify didn't work before 0.9.6c */
  SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb);
author	manuel <manuel@mausz.at>	2019-02-01 15:09:51 +0100
committer	manuel <manuel@mausz.at>	2019-02-01 15:09:51 +0100
commit	9b5d3559fd8b201d62359c027b3c15faccdcce14 (patch)
tree	3dd6d86f8de308cacfd9412cd4593701984829e2
parent	5568b4be97963627154c8f0c6f21a9af70ca7b8a (diff)
download	qmail-9b5d3559fd8b201d62359c027b3c15faccdcce14.tar.gz qmail-9b5d3559fd8b201d62359c027b3c15faccdcce14.tar.bz2 qmail-9b5d3559fd8b201d62359c027b3c15faccdcce14.zip

diff --git a/qmail-smtpd.8 b/qmail-smtpd.8 index 5920dd9..849599c 100644 --- a/qmail-smtpd.8 +++ b/qmail-smtpd.8
@@ -124,18 +124,6 @@ environment variable is not set.
124	For more information, please have a look at doc/README.qregex.	124	For more information, please have a look at doc/README.qregex.
125		125
126	.TP 5	126	.TP 5
127	.I clientca.pem
128	A list of Certifying Authority (CA) certificates that are used to verify
129	the client-presented certificates during a TLS-encrypted session.
130
131	.TP 5
132	.I clientcrl.pem
133	A list of Certificate Revocation Lists (CRLs). If present it
134	should contain the CRLs of the CAs in
135	.I clientca.pem
136	and client certs will be checked for revocation.
137
138	.TP 5
139	.I badrcptto	127	.I badrcptto
140	Unacceptable envelope recipient addresses.	128	Unacceptable envelope recipient addresses.
141	.B qmail-smtpd	129	.B qmail-smtpd


diff --git a/qmail-smtpd.c b/qmail-smtpd.c index 8ae6af3..b2c0263 100644 --- a/qmail-smtpd.c +++ b/qmail-smtpd.c
@@ -68,8 +68,6 @@ char *relayclient;
68	# include "tls.h"	68	# include "tls.h"
69	# include "ssl_timeoutio.h"	69	# include "ssl_timeoutio.h"
70		70
71	# define CLIENTCA "control/clientca.pem"
72	# define CLIENTCRL "control/clientcrl.pem"
73	# define SERVERCERT "control/servercert.pem"	71	# define SERVERCERT "control/servercert.pem"
74		72
75	void tls_init();	73	void tls_init();
@@ -1441,16 +1439,6 @@ void tls_init()
1441		1439
1442	if (!SSL_CTX_use_certificate_chain_file(ctx, servercert))	1440	if (!SSL_CTX_use_certificate_chain_file(ctx, servercert))
1443	{ SSL_CTX_free(ctx); tls_err("missing certificate"); return; }	1441	{ SSL_CTX_free(ctx); tls_err("missing certificate"); return; }
1444	SSL_CTX_load_verify_locations(ctx, CLIENTCA, NULL);
1445
1446	#if OPENSSL_VERSION_NUMBER >= 0x00907000L
1447	/* crl checking */
1448	store = SSL_CTX_get_cert_store(ctx);
1449	if ((lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file())) &&
1450	(X509_load_crl_file(lookup, CLIENTCRL, X509_FILETYPE_PEM) == 1))
1451	X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK \|
1452	X509_V_FLAG_CRL_CHECK_ALL);
1453	#endif
1454		1442
1455	/* set the callback here; SSL_set_verify didn't work before 0.9.6c */	1443	/* set the callback here; SSL_set_verify didn't work before 0.9.6c */
1456	SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb);	1444	SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb);