Skip to content

Commit

Permalink
Remove the support for MAILSTREAM_CFSTREAM_SSL_ALLOWS_EXPIRED_CERTIFI…
Browse files Browse the repository at this point in the history 
…CATES,

MAILSTREAM_CFSTREAM_SSL_ALLOWS_EXPIRED_ROOTS, and
MAILSTREAM_CFSTREAM_SSL_ALLOWS_ANY_ROOT.

The underlying functionality for these (kCFStreamSSLAllowsExpiredCertificates,
kCFStreamSSLAllowsExpiredRoots, kCFStreamSSLAllowsAnyRoot) has been deprecated
since iOS 4 (!).

This means that the only thing that can be done is for the entire
certificate validation to be disabled, using
kCFStreamSSLValidatesCertificateChain via
MAILSTREAM_CFSTREAM_SSL_DISABLE_VALIDATES_CERTIFICATE_CHAIN.
  • Loading branch information
Ewan Mellor committed Oct 25, 2015
1 parent 32a61d5 commit eca926b
Show file tree
Hide file tree
Showing 7 changed files with 6 additions and 22 deletions.
9 changes: 0 additions & 9 deletions src/data-types/mailstream_cfstream.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -963,15 +963,6 @@ int mailstream_cfstream_set_ssl_enabled(mailstream * s, int ssl_enabled)
break;
}

if ((cfstream_data->ssl_certificate_verification_mask & MAILSTREAM_CFSTREAM_SSL_ALLOWS_EXPIRED_CERTIFICATES) != 0) {
CFDictionarySetValue(settings, kCFStreamSSLAllowsExpiredCertificates, kCFBooleanTrue);
}
if ((cfstream_data->ssl_certificate_verification_mask & MAILSTREAM_CFSTREAM_SSL_ALLOWS_EXPIRED_ROOTS) != 0) {
CFDictionarySetValue(settings, kCFStreamSSLAllowsExpiredRoots, kCFBooleanTrue);
}
if ((cfstream_data->ssl_certificate_verification_mask & MAILSTREAM_CFSTREAM_SSL_ALLOWS_ANY_ROOT) != 0) {
CFDictionarySetValue(settings, kCFStreamSSLAllowsAnyRoot, kCFBooleanTrue);
}
if ((cfstream_data->ssl_certificate_verification_mask & MAILSTREAM_CFSTREAM_SSL_DISABLE_VALIDATES_CERTIFICATE_CHAIN) != 0) {
CFDictionarySetValue(settings, kCFStreamSSLValidatesCertificateChain, kCFBooleanFalse);
}
Expand Down
9 changes: 1 addition & 8 deletions src/data-types/mailstream_cfstream.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,14 +43,7 @@ extern "C" {
extern int mailstream_cfstream_voip_enabled;

enum {
MAILSTREAM_CFSTREAM_SSL_ALLOWS_EXPIRED_CERTIFICATES = 1 << 0,
MAILSTREAM_CFSTREAM_SSL_ALLOWS_EXPIRED_ROOTS = 1 << 1,
MAILSTREAM_CFSTREAM_SSL_ALLOWS_ANY_ROOT = 1 << 2,
MAILSTREAM_CFSTREAM_SSL_DISABLE_VALIDATES_CERTIFICATE_CHAIN = 1 << 3,
MAILSTREAM_CFSTREAM_SSL_NO_VERIFICATION = MAILSTREAM_CFSTREAM_SSL_ALLOWS_EXPIRED_CERTIFICATES |
MAILSTREAM_CFSTREAM_SSL_ALLOWS_EXPIRED_ROOTS |
MAILSTREAM_CFSTREAM_SSL_ALLOWS_ANY_ROOT |
MAILSTREAM_CFSTREAM_SSL_DISABLE_VALIDATES_CERTIFICATE_CHAIN
MAILSTREAM_CFSTREAM_SSL_DISABLE_VALIDATES_CERTIFICATE_CHAIN = 1 << 0,
};

enum {
Expand Down
2 changes: 1 addition & 1 deletion src/driver/interface/mailstorage_tools.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -281,7 +281,7 @@ int mailstorage_generic_connect_with_local_address(mailsession_driver * driver,
if (mailstream_cfstream_enabled) {
int ssl_level = MAILSTREAM_CFSTREAM_SSL_LEVEL_NEGOCIATED_SSL;
mailstream_cfstream_set_ssl_level(stream, ssl_level);
mailstream_cfstream_set_ssl_verification_mask(stream, MAILSTREAM_CFSTREAM_SSL_NO_VERIFICATION);
mailstream_cfstream_set_ssl_verification_mask(stream, MAILSTREAM_CFSTREAM_SSL_DISABLE_VALIDATES_CERTIFICATE_CHAIN);
r = mailstream_cfstream_set_ssl_enabled(stream, 1);
if (r < 0) {
mailstream_close(stream);
Expand Down
2 changes: 1 addition & 1 deletion src/low-level/imap/mailimap_socket.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ static int mailimap_cfsocket_starttls(mailimap * f)
return r;
}

mailstream_cfstream_set_ssl_verification_mask(f->imap_stream, MAILSTREAM_CFSTREAM_SSL_NO_VERIFICATION);
mailstream_cfstream_set_ssl_verification_mask(f->imap_stream, MAILSTREAM_CFSTREAM_SSL_DISABLE_VALIDATES_CERTIFICATE_CHAIN);
r = mailstream_cfstream_set_ssl_enabled(f->imap_stream, 1);
if (r < 0) {
return MAILIMAP_ERROR_SSL;
Expand Down
2 changes: 1 addition & 1 deletion src/low-level/imap/mailimap_ssl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ static int mailimap_cfssl_connect_voip_ssl_level(mailimap * f, const char * serv
return MAILIMAP_ERROR_CONNECTION_REFUSED;
}
mailstream_cfstream_set_ssl_level(stream, ssl_level);
mailstream_cfstream_set_ssl_verification_mask(stream, MAILSTREAM_CFSTREAM_SSL_NO_VERIFICATION);
mailstream_cfstream_set_ssl_verification_mask(stream, MAILSTREAM_CFSTREAM_SSL_DISABLE_VALIDATES_CERTIFICATE_CHAIN);
r = mailstream_cfstream_set_ssl_enabled(stream, 1);
if (r < 0) {
mailstream_close(stream);
Expand Down
2 changes: 1 addition & 1 deletion src/low-level/smtp/mailsmtp_socket.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,7 +156,7 @@ static int mailsmtp_cfsocket_starttls(mailsmtp * session)
if (r != MAILSMTP_NO_ERROR)
return r;

mailstream_cfstream_set_ssl_verification_mask(session->stream, MAILSTREAM_CFSTREAM_SSL_NO_VERIFICATION);
mailstream_cfstream_set_ssl_verification_mask(session->stream, MAILSTREAM_CFSTREAM_SSL_DISABLE_VALIDATES_CERTIFICATE_CHAIN);
r = mailstream_cfstream_set_ssl_enabled(session->stream, 1);
if (r < 0) {
return MAILSMTP_ERROR_SSL;
Expand Down
2 changes: 1 addition & 1 deletion src/low-level/smtp/mailsmtp_ssl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ static int mailsmtp_cfssl_connect_ssl_level(mailsmtp * session,
return MAILSMTP_ERROR_CONNECTION_REFUSED;
}
mailstream_cfstream_set_ssl_level(stream, ssl_level);
mailstream_cfstream_set_ssl_verification_mask(stream, MAILSTREAM_CFSTREAM_SSL_NO_VERIFICATION);
mailstream_cfstream_set_ssl_verification_mask(stream, MAILSTREAM_CFSTREAM_SSL_DISABLE_VALIDATES_CERTIFICATE_CHAIN);
r = mailstream_cfstream_set_ssl_enabled(stream, 1);
if (r < 0) {
mailstream_close(stream);
Expand Down

0 comments on commit eca926b

Please sign in to comment.