From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-lf1-f44.google.com ([209.85.167.44]) by ewsd; Sun Jul 19 05:43:54 EDT 2020 Received: by mail-lf1-f44.google.com with SMTP id k17so8234792lfg.3 for <9front@9front.org>; Sun, 19 Jul 2020 02:43:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=nkqalkYMYV3giwb/c82MipZGP93ZA0XbN7qbs1AwLrM=; b=Vdc/Nau1jUADdSiyj13aR0MrZP2RQS4aRmwPAKjTcJ/RyqJZS1hTEjDqmyU58PO9Us nd5Nf+r3xjfWDOdyTMA3futA3djTKhqAaRZD0ubFZRIBiqeKVDYv3Vl6uQYztsqTOWQW fWGqH3kzajLc7UF74ylyvobJCyfivNp9PtAT3oEi/zztHd7RZbL5y+RtY7iIrA2/XDhc Ikm9/yV7gEgb4c851f7esuWiZr3d0AUXQXk9aG0dCqHsrBfy7jYjzBEaYR3+1IGaEpzk KYyKndCcFCEocQ74i8NZ8uaUnNcXMDT0e4Yl4ncsiRoMGEZxssJXr5HH4mBOXaZ0Ue/7 JiEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=nkqalkYMYV3giwb/c82MipZGP93ZA0XbN7qbs1AwLrM=; b=N5hqwNI9qEAVpsMuJA7aGegSrl5KXfGd5po7jyX2S+8UynTMKdtoY/HXd4ot7N6MhW 7ve/z1JWlHtUVxy8ESOmEiMlSzK20s7vutNseJd2t6+11PyAwXdgGtQo6WnFHC9Xv2jV hgGFWFFPZbu1zVRa0W/+3gJH8V3e0kcZx7SQ425Ar3lCh7ODV+z3Tq4xdMP3cXhnzmoo koQKMtx4f06HsLqRNlo5mmK4PDNiO6mIg5NzgaY/7fmS07xc3wH+J8XYmCmK+J3tADy3 6PL9Bsr/e3Pl2loaEcnxmHw+Y9gExcjGDrDV2g9aHVKeN6ZZTDj6Rh/dvVhAyK7IjJm+ /Xyg== X-Gm-Message-State: AOAM533XA0n8VVbgtjoozfv7IAlloYZVlzRijNkwBpwJk8RTpQkHHv1l avAwtO62NITNvLjtFrbjfsCYV4JtPCqMA3YcUQm4+g== X-Google-Smtp-Source: ABdhPJwAcSll+3poOFDoADHfuWEamfNDCOvDJKPKUp1G4gV5ebojGc25SpSI6rHlva1ecsa79hrl+XFsJCFqtIRedlM= X-Received: by 2002:ac2:5a4b:: with SMTP id r11mr8421696lfn.39.1595151828222; Sun, 19 Jul 2020 02:43:48 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Joel Fridolin Meyer Date: Sun, 19 Jul 2020 11:43:37 +0200 Message-ID: Subject: patch smtp: ignore unrecognized certificates To: 9front@9front.org Content-Type: multipart/alternative; boundary="00000000000015848505aac83a7b" List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: table cache markup --00000000000015848505aac83a7b Content-Type: text/plain; charset="UTF-8" (This is a duplicate mail, because I'm not sure if the original mail from my mail server is delivered correctly.) Hello devs, this patch adds a new flag -c to upas/smtp command ( smtp(8) ). This flag removes the need to manually add thumbprints for tls certificates to /sys/lib/tls/smtp, ignoring unrecognized certificates. Thumbprints for unrecognized certificates will still be printed to /sys/log/smtp, the message will still be sent. If you want to add this to 9front, I'll be happily adjust the usage message as well as the man page. diff -r f8f63e944375 sys/src/cmd/upas/smtp/smtp.c --- a/sys/src/cmd/upas/smtp/smtp.c Fri Jul 17 16:53:20 2020 +0200 +++ b/sys/src/cmd/upas/smtp/smtp.c Sun Jul 19 11:00:15 2020 +0200 @@ -46,6 +46,7 @@ int quitting; /* when error occurs in quit */ int tryauth; /* Try to authenticate, if supported */ int trysecure; /* Try to use TLS if the other side supports it */ +int nocertcheck; /* ignore unrecognized certs. Still logged */ char *quitrv; /* deferred return value when in quit */ char ddomain[1024]; /* domain name of destination machine */ @@ -185,6 +186,9 @@ case 'u': user = EARGF(usage()); break; + case 'c': + nocertcheck = 1; + break; default: usage(); break; @@ -420,7 +424,9 @@ } if (!okCertificate(c->cert, c->certlen, goodcerts)) { syslog(0, "smtp", "cert for %s not recognized: %r", ddomain); - goto Out; + if (!nocertcheck) + goto Out; + syslog(0, "smtp", "ignoring unrecognized cert"); } syslog(0, "smtp", "started TLS to %q", ddomain); err = nil; --00000000000015848505aac83a7b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
(This is a duplicate mail, because I'm not sure if the ori= ginal mail from my mail server is delivered correctly.)

Hel= lo devs,

this patch adds a new flag -c to upas/smtp command ( smtp(8) ). This flag r= emoves the need to manually add thumbprints for tls certificates to /sys/li= b/tls/smtp, ignoring unrecognized certificates.

Thumbprints for unrecognized certificates will still be printed to /sys/log= /smtp, the message will still be sent.

If you want to add this to 9front, I'll be happily adjust the usage mes= sage as well as the man page.

diff -r f8f63e944375 sys/src/cmd/upas/smtp/smtp.c
--- a/sys/src/cmd/upas/smtp/smtp.c=C2=A0 Fri Jul 17 16:53:20 2020 +0200
+++ b/sys/src/cmd/upas/smtp/smtp.c=C2=A0 Sun Jul 19 11:00:15 2020 +0200
@@ -46,6 +46,7 @@
int=C2=A0 quitting; /* when error occurs in quit */
int=C2=A0 tryauth;=C2=A0 /* Try to authenticate, if supported */
int=C2=A0 trysecure;=C2=A0 /* Try to use TLS if the other side supports it = */
+int nocertcheck; /* ignore unrecognized certs. Still logged */

char *quitrv;=C2=A0 /* deferred return value when in quit */
char ddomain[1024];=C2=A0 /* domain name of destination machine */
@@ -185,6 +186,9 @@
case 'u':
user =3D EARGF(usage());
break;
+ case 'c':
+=C2=A0=C2=A0 nocertcheck =3D 1;
+=C2=A0=C2=A0 break;
default:
usage();
break;
@@ -420,7 +424,9 @@
}
if (!okCertificate(c->cert, c->certlen, goodcerts)) {
syslog(0, "smtp", "cert for %s not recognized: %r", ddo= main);
-=C2=A0=C2=A0 goto Out;
+=C2=A0=C2=A0 if (!nocertcheck)
+=C2=A0=C2=A0=C2=A0=C2=A0 goto Out;
+=C2=A0=C2=A0 syslog(0, "smtp", "ignoring unrecognized cert&= quot;);
}
syslog(0, "smtp", "started TLS to %q", ddomain);
err =3D nil;

--00000000000015848505aac83a7b--