send-email: be explicit with SSL certificate verification
When initiating an SSL connection without explicitly specifying the SSL certificate verification mode, Net::SMTP::SSL defaults to no verification, but recent versions of the module gives a warning against this use of the default. Enable certificate verification by default, using /etc/ssl/certs as the default path for certificates of certificate authorities. This path can be overriden by the --smtp-ssl-cert-path command line option and the sendemail.smtpSSLCertPath configuration variable. Passing an empty string as the path for CA certificates path disables the SSL certificate verification explicitly, which does not trigger the warning from recent versions of Net::SMTP::SSL. Signed-off-by: Ramkumar Ramachandra <artagnon@gmail.com> Helped-by: Brian M. Carlson <sandals@crustytoothpaste.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
parent
531c8dd4fb
commit
35035bbf07
@ -2022,6 +2022,10 @@ sendemail.smtpencryption::
|
|||||||
sendemail.smtpssl::
|
sendemail.smtpssl::
|
||||||
Deprecated alias for 'sendemail.smtpencryption = ssl'.
|
Deprecated alias for 'sendemail.smtpencryption = ssl'.
|
||||||
|
|
||||||
|
sendemail.smtpsslcertpath::
|
||||||
|
Path to ca-certificates (either a directory or a single file).
|
||||||
|
Set it to an empty string to disable certificate verification.
|
||||||
|
|
||||||
sendemail.<identity>.*::
|
sendemail.<identity>.*::
|
||||||
Identity-specific versions of the 'sendemail.*' parameters
|
Identity-specific versions of the 'sendemail.*' parameters
|
||||||
found below, taking precedence over those when the this
|
found below, taking precedence over those when the this
|
||||||
|
@ -198,6 +198,12 @@ must be used for each option.
|
|||||||
--smtp-ssl::
|
--smtp-ssl::
|
||||||
Legacy alias for '--smtp-encryption ssl'.
|
Legacy alias for '--smtp-encryption ssl'.
|
||||||
|
|
||||||
|
--smtp-ssl-cert-path::
|
||||||
|
Path to ca-certificates (either a directory or a single file).
|
||||||
|
Set it to an empty string to disable certificate verification.
|
||||||
|
Defaults to the value set to the 'sendemail.smtpsslcertpath'
|
||||||
|
configuration variable, if set, or `/etc/ssl/certs` otherwise.
|
||||||
|
|
||||||
--smtp-user=<user>::
|
--smtp-user=<user>::
|
||||||
Username for SMTP-AUTH. Default is the value of 'sendemail.smtpuser';
|
Username for SMTP-AUTH. Default is the value of 'sendemail.smtpuser';
|
||||||
if a username is not specified (with '--smtp-user' or 'sendemail.smtpuser'),
|
if a username is not specified (with '--smtp-user' or 'sendemail.smtpuser'),
|
||||||
|
@ -69,6 +69,9 @@ git send-email [options] <file | directory | rev-list options >
|
|||||||
--smtp-pass <str> * Password for SMTP-AUTH; not necessary.
|
--smtp-pass <str> * Password for SMTP-AUTH; not necessary.
|
||||||
--smtp-encryption <str> * tls or ssl; anything else disables.
|
--smtp-encryption <str> * tls or ssl; anything else disables.
|
||||||
--smtp-ssl * Deprecated. Use '--smtp-encryption ssl'.
|
--smtp-ssl * Deprecated. Use '--smtp-encryption ssl'.
|
||||||
|
--smtp-ssl-cert-path <str> * Path to ca-certificates (either directory or file).
|
||||||
|
Pass an empty string to disable certificate
|
||||||
|
verification.
|
||||||
--smtp-domain <str> * The domain name sent to HELO/EHLO handshake
|
--smtp-domain <str> * The domain name sent to HELO/EHLO handshake
|
||||||
--smtp-debug <0|1> * Disable, enable Net::SMTP debug.
|
--smtp-debug <0|1> * Disable, enable Net::SMTP debug.
|
||||||
|
|
||||||
@ -194,7 +197,7 @@ sub do_edit {
|
|||||||
my ($thread, $chain_reply_to, $suppress_from, $signed_off_by_cc);
|
my ($thread, $chain_reply_to, $suppress_from, $signed_off_by_cc);
|
||||||
my ($to_cmd, $cc_cmd);
|
my ($to_cmd, $cc_cmd);
|
||||||
my ($smtp_server, $smtp_server_port, @smtp_server_options);
|
my ($smtp_server, $smtp_server_port, @smtp_server_options);
|
||||||
my ($smtp_authuser, $smtp_encryption);
|
my ($smtp_authuser, $smtp_encryption, $smtp_ssl_cert_path);
|
||||||
my ($identity, $aliasfiletype, @alias_files, $smtp_domain);
|
my ($identity, $aliasfiletype, @alias_files, $smtp_domain);
|
||||||
my ($validate, $confirm);
|
my ($validate, $confirm);
|
||||||
my (@suppress_cc);
|
my (@suppress_cc);
|
||||||
@ -222,6 +225,7 @@ my %config_settings = (
|
|||||||
"smtpserveroption" => \@smtp_server_options,
|
"smtpserveroption" => \@smtp_server_options,
|
||||||
"smtpuser" => \$smtp_authuser,
|
"smtpuser" => \$smtp_authuser,
|
||||||
"smtppass" => \$smtp_authpass,
|
"smtppass" => \$smtp_authpass,
|
||||||
|
"smtpsslcertpath" => \$smtp_ssl_cert_path,
|
||||||
"smtpdomain" => \$smtp_domain,
|
"smtpdomain" => \$smtp_domain,
|
||||||
"to" => \@initial_to,
|
"to" => \@initial_to,
|
||||||
"tocmd" => \$to_cmd,
|
"tocmd" => \$to_cmd,
|
||||||
@ -302,6 +306,7 @@ my $rc = GetOptions("h" => \$help,
|
|||||||
"smtp-pass:s" => \$smtp_authpass,
|
"smtp-pass:s" => \$smtp_authpass,
|
||||||
"smtp-ssl" => sub { $smtp_encryption = 'ssl' },
|
"smtp-ssl" => sub { $smtp_encryption = 'ssl' },
|
||||||
"smtp-encryption=s" => \$smtp_encryption,
|
"smtp-encryption=s" => \$smtp_encryption,
|
||||||
|
"smtp-ssl-cert-path" => \$smtp_ssl_cert_path,
|
||||||
"smtp-debug:i" => \$debug_net_smtp,
|
"smtp-debug:i" => \$debug_net_smtp,
|
||||||
"smtp-domain:s" => \$smtp_domain,
|
"smtp-domain:s" => \$smtp_domain,
|
||||||
"identity=s" => \$identity,
|
"identity=s" => \$identity,
|
||||||
@ -1089,6 +1094,34 @@ sub smtp_auth_maybe {
|
|||||||
return $auth;
|
return $auth;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub ssl_verify_params {
|
||||||
|
eval {
|
||||||
|
require IO::Socket::SSL;
|
||||||
|
IO::Socket::SSL->import(qw/SSL_VERIFY_PEER SSL_VERIFY_NONE/);
|
||||||
|
};
|
||||||
|
if ($@) {
|
||||||
|
print STDERR "Not using SSL_VERIFY_PEER due to out-of-date IO::Socket::SSL.\n";
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!defined $smtp_ssl_cert_path) {
|
||||||
|
$smtp_ssl_cert_path = "/etc/ssl/certs";
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($smtp_ssl_cert_path eq "") {
|
||||||
|
return (SSL_verify_mode => SSL_VERIFY_NONE());
|
||||||
|
} elsif (-d $smtp_ssl_cert_path) {
|
||||||
|
return (SSL_verify_mode => SSL_VERIFY_PEER(),
|
||||||
|
SSL_ca_path => $smtp_ssl_cert_path);
|
||||||
|
} elsif (-f $smtp_ssl_cert_path) {
|
||||||
|
return (SSL_verify_mode => SSL_VERIFY_PEER(),
|
||||||
|
SSL_ca_file => $smtp_ssl_cert_path);
|
||||||
|
} else {
|
||||||
|
print STDERR "Not using SSL_VERIFY_PEER because the CA path does not exist.\n";
|
||||||
|
return (SSL_verify_mode => SSL_VERIFY_NONE());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# Returns 1 if the message was sent, and 0 otherwise.
|
# Returns 1 if the message was sent, and 0 otherwise.
|
||||||
# In actuality, the whole program dies when there
|
# In actuality, the whole program dies when there
|
||||||
# is an error sending a message.
|
# is an error sending a message.
|
||||||
@ -1194,7 +1227,8 @@ X-Mailer: git-send-email $gitversion
|
|||||||
$smtp_domain ||= maildomain();
|
$smtp_domain ||= maildomain();
|
||||||
$smtp ||= Net::SMTP::SSL->new($smtp_server,
|
$smtp ||= Net::SMTP::SSL->new($smtp_server,
|
||||||
Hello => $smtp_domain,
|
Hello => $smtp_domain,
|
||||||
Port => $smtp_server_port);
|
Port => $smtp_server_port,
|
||||||
|
ssl_verify_params());
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
require Net::SMTP;
|
require Net::SMTP;
|
||||||
@ -1207,7 +1241,8 @@ X-Mailer: git-send-email $gitversion
|
|||||||
$smtp->command('STARTTLS');
|
$smtp->command('STARTTLS');
|
||||||
$smtp->response();
|
$smtp->response();
|
||||||
if ($smtp->code == 220) {
|
if ($smtp->code == 220) {
|
||||||
$smtp = Net::SMTP::SSL->start_SSL($smtp)
|
$smtp = Net::SMTP::SSL->start_SSL($smtp,
|
||||||
|
ssl_verify_params())
|
||||||
or die "STARTTLS failed! ".$smtp->message;
|
or die "STARTTLS failed! ".$smtp->message;
|
||||||
$smtp_encryption = '';
|
$smtp_encryption = '';
|
||||||
# Send EHLO again to receive fresh
|
# Send EHLO again to receive fresh
|
||||||
|
Loading…
Reference in New Issue
Block a user