[dovecot/core] cea45a: lib-ssl-iostream: Fix missing altName handling in ...

Wed Apr 25 19:30:17 EEST 2018

  Branch: refs/heads/master
  Home:   https://github.com/dovecot/core
  Commit: cea45a45078374c6ea43407908cf77cdb9c1a2ac
      https://github.com/dovecot/core/commit/cea45a45078374c6ea43407908cf77cdb9c1a2ac
  Author: Aki Tuomi <aki.tuomi at dovecot.fi>
  Date:   2018-04-25 (Wed, 25 Apr 2018)

  Changed paths:
    M src/lib-ssl-iostream/iostream-openssl-common.c

  Log Message:
  -----------
  lib-ssl-iostream: Fix missing altName handling in openssl_cert_match_name

If name is not found in subjectAltNames, report it as error.

Fixes Panic: file iostream-openssl-common.c: line 177 (openssl_cert_match_name): assertion failed: (*reason_r != NULL)

  Commit: c383e997be5d1b50b6cb73324c240c13bd96ea0e
      https://github.com/dovecot/core/commit/c383e997be5d1b50b6cb73324c240c13bd96ea0e
  Author: Aki Tuomi <aki.tuomi at dovecot.fi>
  Date:   2018-04-25 (Wed, 25 Apr 2018)

  Changed paths:
    M src/lib-ssl-iostream/iostream-openssl.c

  Log Message:
  -----------
  lib-ssl-iostream: Do not skip cert name check if invalid cert is allowed

Caller should be responsible for ignoring this error, not us.
All the locations calling here are dealing this correctly.

  Commit: 78d6bd63bcbcd65fa6fae9febfb2421a05ef31a2
      https://github.com/dovecot/core/commit/78d6bd63bcbcd65fa6fae9febfb2421a05ef31a2
  Author: Aki Tuomi <aki.tuomi at dovecot.fi>
  Date:   2018-04-25 (Wed, 25 Apr 2018)

  Changed paths:
    M src/lib-http/test-http-client.c

  Log Message:
  -----------
  lib-http: test-http-client - Test against missing SAN name

Add test to make sure http client validates and ignores
missing subjectAltName in cert, when not validating names.

  Commit: ed6b01ce1544d9b35a8da8832cb6b649b226f58c
      https://github.com/dovecot/core/commit/ed6b01ce1544d9b35a8da8832cb6b649b226f58c
  Author: Aki Tuomi <aki.tuomi at dovecot.fi>
  Date:   2018-04-25 (Wed, 25 Apr 2018)

  Changed paths:
    M src/lib-http/test-http-client.c

  Log Message:
  -----------
  lib-http: test-http-client - Only load existing CAs

Otherwise the SSL tests do not properly work.

Fixes Error: HTTP Request failed: Couldn't initialize SSL context: Can't load CA certs from directory /etc/ssl/certs: error:02001002:system library:fopen:No such file or directory: fopen('/etc/pki/tls/cert.pem','r'), error:2006D080:BIO routines:BIO_new_file:no such file, error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib

Compare: https://github.com/dovecot/core/compare/99d9e710d669...ed6b01ce1544