dovecot-2.2: lib-http: If remote SSL cert is invalid, treat it a...

dovecot at dovecot.org dovecot at dovecot.org
Mon Apr 8 13:03:27 EEST 2013 

details:   http://hg.dovecot.org/dovecot-2.2/rev/ac0e59dfe081
changeset: 16245:ac0e59dfe081
user:      Timo Sirainen <tss at iki.fi>
date:      Mon Apr 08 13:03:12 2013 +0300
description:
lib-http: If remote SSL cert is invalid, treat it as non-retryable error.

diffstat:

 src/lib-http/http-client-connection.c |  54 ++++++++++++++++++++--------------
 1 files changed, 31 insertions(+), 23 deletions(-)

diffs (71 lines):

diff -r c7555e6d13fd -r ac0e59dfe081 src/lib-http/http-client-connection.c
--- a/src/lib-http/http-client-connection.c	Mon Apr 08 13:02:27 2013 +0300
+++ b/src/lib-http/http-client-connection.c	Mon Apr 08 13:03:12 2013 +0300
@@ -97,29 +97,6 @@
 }
 
 static void
-http_client_connection_abort_temp_error(struct http_client_connection **_conn,
-	unsigned int status, const char *error)
-{
-	struct http_client_connection *conn = *_conn;
-	const char *sslerr;
-
-	if (status == HTTP_CLIENT_REQUEST_ERROR_CONNECTION_LOST &&
-	    conn->ssl_iostream != NULL) {
-		sslerr = ssl_iostream_get_last_error(conn->ssl_iostream);
-		if (sslerr != NULL) {
-			error = t_strdup_printf("%s (last SSL error: %s)",
-						error, sslerr);
-		}
-	}
-
-	conn->connected = FALSE;
-	conn->closing = TRUE;
-	
-	http_client_connection_retry_requests(conn, status, error);
-	http_client_connection_unref(_conn);
-}
-
-static void
 http_client_connection_abort_error(struct http_client_connection **_conn,
 	unsigned int status, const char *error)
 {
@@ -138,6 +115,37 @@
 }
 
 static void
+http_client_connection_abort_temp_error(struct http_client_connection **_conn,
+	unsigned int status, const char *error)
+{
+	struct http_client_connection *conn = *_conn;
+	const char *sslerr;
+
+	if (status == HTTP_CLIENT_REQUEST_ERROR_CONNECTION_LOST &&
+	    conn->ssl_iostream != NULL) {
+		sslerr = ssl_iostream_get_last_error(conn->ssl_iostream);
+		if (sslerr != NULL) {
+			error = t_strdup_printf("%s (last SSL error: %s)",
+						error, sslerr);
+		}
+		if (ssl_iostream_has_handshake_failed(conn->ssl_iostream)) {
+			/* this isn't really a "connection lost", but that we
+			   don't trust the remote's SSL certificate. don't
+			   retry. */
+			http_client_connection_abort_error(_conn,
+				HTTP_CLIENT_REQUEST_ERROR_BAD_RESPONSE, error);
+			return;
+		}
+	}
+
+	conn->connected = FALSE;
+	conn->closing = TRUE;
+	
+	http_client_connection_retry_requests(conn, status, error);
+	http_client_connection_unref(_conn);
+}
+
+static void
 http_client_connection_idle_timeout(struct http_client_connection *conn)
 {
 	http_client_connection_debug(conn, "Idle connection timed out");

More information about the dovecot-cvs mailing list