tls: added ability to store certs in config/ssl

was hard coded to ./ssl
This commit is contained in:
Matt Simerson 2013-04-20 16:27:14 -04:00
parent c58404c3c4
commit 42296b950c

View File

@ -45,7 +45,7 @@ MAIL FROM onwards.
Use the script C<plugins/tls_cert> to automatically generate a self-signed
certificate with the appropriate characteristics. Otherwise, you should
give absolute pathnames to the certificate, key, and the CA root cert
give absolute pathnames to the certificate, key, and the CA root cert
used to sign that certificate.
=head1 CIPHERS and COMPATIBILITY
@ -63,9 +63,10 @@ use IO::Socket::SSL 0.98;
sub init {
my ($self, $qp, $cert, $key, $ca) = @_;
$cert ||= 'ssl/qpsmtpd-server.crt';
$key ||= 'ssl/qpsmtpd-server.key';
$ca ||= 'ssl/qpsmtpd-ca.crt';
my $dir = -d 'ssl' ? 'ssl' : 'config/ssl';
$cert ||= "$dir/qpsmtpd-server.crt";
$key ||= "$dir/qpsmtpd-server.key";
$ca ||= "$dir/qpsmtpd-ca.crt";
unless ( -f $cert && -f $key && -f $ca ) {
$self->log(LOGERROR, "Cannot locate cert/key! Run plugins/tls_cert to generate");
return;
@ -74,7 +75,7 @@ sub init {
$self->tls_key($key);
$self->tls_ca($ca);
$self->tls_ciphers($self->qp->config('tls_ciphers') || 'HIGH');
$self->log(LOGDEBUG, "ciphers: ".$self->tls_ciphers);
local $^W; # this bit is very noisy...
@ -87,9 +88,9 @@ sub init {
SSL_server => 1
) or die "Could not create SSL context: $!";
# now extract the password...
$self->ssl_context($ssl_ctx);
# Check for possible AUTH mechanisms
HOOK: foreach my $hook ( keys %{$qp->hooks} ) {
no strict 'refs';
@ -120,20 +121,20 @@ sub hook_ehlo {
sub hook_unrecognized_command {
my ($self, $transaction, $cmd, @args) = @_;
return DECLINED unless $cmd eq 'starttls';
return DECLINED unless lc $cmd eq 'starttls';
return DECLINED unless $transaction->notes('tls_enabled');
return DENY, "Syntax error (no parameters allowed)" if @args;
# OK, now we setup TLS
$self->qp->respond (220, "Go ahead with TLS");
unless ( _convert_to_ssl($self) ) {
# SSL setup failed. Now we must respond to every command with 5XX
warn("TLS failed: $@\n");
$transaction->notes('ssl_failed', 1);
return DENY, "TLS Negotiation Failed";
}
$self->log(LOGWARN, "TLS setup returning");
return DONE;
}
@ -143,7 +144,7 @@ sub hook_connect {
my $local_port = $self->qp->connection->local_port;
return DECLINED unless defined $local_port && $local_port == 465; # SMTPS
unless ( _convert_to_ssl($self) ) {
return (DENY_DISCONNECT, "Cannot establish SSL session");
}
@ -182,7 +183,7 @@ sub _convert_to_ssl {
SSL_server => 1,
SSL_reuse_ctx => $self->ssl_context,
) or die "Could not create SSL socket: $!";
# Clone connection object (without data received from client)
$self->qp->connection($self->connection->clone());
$self->qp->reset_transaction;
@ -283,18 +284,18 @@ sub upgrade_socket {
SSL_startHandshake => 0,
SSL_server => 1,
SSL_reuse_ctx => $self->{_stashed_plugin}->ssl_context,
}
}
) or die "Could not upgrade socket to SSL: $!";
$self->{_ssl_started} = 1;
}
$self->event_read($self->{_stashed_qp});
}
sub event_read {
my UpgradeClientSSL $self = shift;
my $qp = shift;
$qp->watch_read( 0 );
my $sock = $qp->{sock}->accept_SSL;