Prereq: "2.4.14"
diff -cr --new-file /var/tmp/postfix-2.4.14/src/global/mail_version.h ./src/global/mail_version.h
*** /var/tmp/postfix-2.4.14/src/global/mail_version.h Mon Mar 22 19:47:21 2010
--- ./src/global/mail_version.h Tue Nov 23 11:24:38 2010
***************
*** 20,27 ****
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
! #define MAIL_RELEASE_DATE "20090322"
! #define MAIL_VERSION_NUMBER "2.4.14"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
--- 20,27 ----
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
! #define MAIL_RELEASE_DATE "20091123"
! #define MAIL_VERSION_NUMBER "2.4.15"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
diff -cr --new-file /var/tmp/postfix-2.4.14/HISTORY ./HISTORY
*** /var/tmp/postfix-2.4.14/HISTORY Mon Mar 22 17:38:10 2010
--- ./HISTORY Tue Nov 23 11:26:06 2010
***************
*** 13731,13733 ****
--- 13731,13773 ----
2821 (and 5321) is vague about the VRFY request format, but
spends lots of text on the reply format. File: smtpd/smtpd.c.
+ 20100610
+
+ Bugfix (introduced Postfix 2.2): Postfix no longer appends
+ the system default CA certificates to the lists specified
+ with *_tls_CAfile or with *_tls_CApath. This prevents
+ third-party certificates from getting mail relay permission
+ with the permit_tls_all_clientcerts feature. Unfortunately
+ this may cause compatibility problems with configurations
+ that rely on certificate verification for other purposes.
+ To get the old behavior, specify "tls_append_default_CA =
+ yes". Files: tls/tls_certkey.c, smtp/smtp_params.c,
+ smtpd/smtpd.c, global/mail_params.h. proto/postconf.proto,
+ mantools/postlink.
+
+ 20100714
+
+ Compatibility with Postfix < 2.3: fix 20061207 was incomplete
+ (undoing the change to bounce instead of defer after
+ pipe-to-command delivery fails with a signal). Fix by Thomas
+ Arnett. File: global/pipe_command.c.
+
+ 20100827
+
+ Performance: fix for poor smtpd_proxy_filter TCP performance
+ over loopback (127.0.0.1) connections. Problem reported by
+ Mark Martinec. Files: smtpd/smtpd_proxy.c.
+
+ 20101023
+
+ Cleanup: don't apply reject_rhsbl_helo to non-domain forms
+ such as network addresses. This would cause false positives
+ with dbl.spamhaus.org. File: smtpd/smtpd_check.c.
+
+ 20101117
+
+ Bugfix: the "421" reply after Milter error was overruled
+ by Postfix 1.1 code that replied with "503" for RFC 2821
+ compliance. We now make an exception for "final" replies,
+ as permitted by RFC. Solution by Victor Duchovni. File:
+ smtpd/smtpd.c.
diff -cr --new-file /var/tmp/postfix-2.4.14/RELEASE_NOTES ./RELEASE_NOTES
*** /var/tmp/postfix-2.4.14/RELEASE_NOTES Fri Aug 28 20:32:37 2009
--- ./RELEASE_NOTES Tue Nov 23 11:39:17 2010
***************
*** 11,16 ****
--- 11,28 ----
The mail_release_date configuration parameter (format: yyyymmdd)
specifies the release date of a stable release or snapshot release.
+ Incompatibility with Postfix 2.4.15
+ ===================================
+
+ Postfix no longer appends the system-supplied default CA certificates
+ to the lists specified with *_tls_CAfile or with *_tls_CApath. This
+ prevents third-party certificates from getting mail relay permission
+ with the permit_tls_all_clientcerts feature.
+
+ Unfortunately this change may cause compatibility problems when
+ configurations rely on certificate verification for other purposes.
+ Specify "tls_append_default_CA = yes" for backwards compatibility.
+
Incompatibility with Postfix 2.4.4
==================================
diff -cr --new-file /var/tmp/postfix-2.4.14/html/postconf.5.html ./html/postconf.5.html
*** /var/tmp/postfix-2.4.14/html/postconf.5.html Fri Jul 20 11:25:24 2007
--- ./html/postconf.5.html Tue Jun 15 19:39:31 2010
***************
*** 7979,7984 ****
--- 7979,7988 ----
needed only when the CA certificate is not already present in the
client certificate file.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
Example:
***************
*** 8002,8007 ****
--- 8006,8015 ----
To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
Example:
***************
*** 9278,9285 ****
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
! CA, otherwise all clients with a recognized certificate would be
! allowed to relay. This feature is available with Postfix version 2.2.
permit_tls_clientcerts
--- 9286,9296 ----
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
! CA. Otherwise, clients with a third-party certificate would also
! be allowed to relay. Specify "tls_append_default_CA = no" when the
! trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
! to prevent Postfix from appending the system-supplied default CAs.
! This feature is available with Postfix version 2.2.
permit_tls_clientcerts
***************
*** 10878,10883 ****
--- 10889,10898 ----
certificates of other trusted CAs. You must use this file for the
list of trusted CAs if you want to use chroot-mode.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
Example:
***************
*** 10904,10909 ****
--- 10919,10928 ----
clients might not offer certificates issued by them. Use of this
feature is therefore not recommended.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
Example:
***************
*** 11728,11733 ****
--- 11747,11769 ----
+
tls_append_default_CA
+ (default: no)
+
+ Append the system-supplied default certificate authority
+ certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+ The default is "no"; this prevents Postfix from trusting third-party
+ certificates and giving them relay permission with
+ permit_tls_all_clientcerts.
+
+ This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+ 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+ backwards compatibility, to avoid breaking certificate verification
+ with sites that don't use permit_tls_all_clientcerts.
+
+
+
+
tls_daemon_random_bytes
(default: 32)
diff -cr --new-file /var/tmp/postfix-2.4.14/man/man5/postconf.5 ./man/man5/postconf.5
*** /var/tmp/postfix-2.4.14/man/man5/postconf.5 Fri Jul 20 11:25:24 2007
--- ./man/man5/postconf.5 Tue Jun 15 19:39:31 2010
***************
*** 4442,4447 ****
--- 4442,4451 ----
needed only when the CA certificate is not already present in the
client certificate file.
.PP
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+ .PP
Example:
.PP
.nf
***************
*** 4462,4467 ****
--- 4466,4475 ----
To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail.
.PP
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+ .PP
Example:
.PP
.nf
***************
*** 5476,5483 ****
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
! CA, otherwise all clients with a recognized certificate would be
! allowed to relay. This feature is available with Postfix version 2.2.
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate is
verified successfully, and the certificate fingerprint is listed
--- 5484,5494 ----
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
! CA. Otherwise, clients with a third-party certificate would also
! be allowed to relay. Specify "tls_append_default_CA = no" when the
! trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
! to prevent Postfix from appending the system-supplied default CAs.
! This feature is available with Postfix version 2.2.
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate is
verified successfully, and the certificate fingerprint is listed
***************
*** 6513,6518 ****
--- 6524,6533 ----
certificates of other trusted CAs. You must use this file for the
list of trusted CAs if you want to use chroot-mode.
.PP
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+ .PP
Example:
.PP
.nf
***************
*** 6537,6542 ****
--- 6552,6561 ----
clients might not offer certificates issued by them. Use of this
feature is therefore not recommended.
.PP
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+ .PP
Example:
.PP
.nf
***************
*** 7128,7133 ****
--- 7147,7163 ----
process initialization will be logged with the default name. Examples
are errors while parsing the command line arguments, and errors
while accessing the Postfix main.cf configuration file.
+ .SH tls_append_default_CA (default: no)
+ Append the system-supplied default certificate authority
+ certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+ The default is "no"; this prevents Postfix from trusting third-party
+ certificates and giving them relay permission with
+ permit_tls_all_clientcerts.
+ .PP
+ This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+ 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+ backwards compatibility, to avoid breaking certificate verification
+ with sites that don't use permit_tls_all_clientcerts.
.SH tls_daemon_random_bytes (default: 32)
The number of pseudo-random bytes that an \fBsmtp\fR(8) or \fBsmtpd\fR(8)
process requests from the \fBtlsmgr\fR(8) server in order to seed its
diff -cr --new-file /var/tmp/postfix-2.4.14/mantools/postlink ./mantools/postlink
*** /var/tmp/postfix-2.4.14/mantools/postlink Tue Jul 10 13:27:12 2007
--- ./mantools/postlink Tue Jun 15 18:02:04 2010
***************
*** 601,606 ****
--- 601,607 ----
s;\btls_low_cipherlist\b;$&;g;
s;\btls_export_cipherlist\b;$&;g;
s;\btls_null_cipherlist\b;$&;g;
+ s;\btls_append_default_CA\b;$&;g;
s;\bfrozen_delivered_to\b;$&;g;
diff -cr --new-file /var/tmp/postfix-2.4.14/proto/postconf.proto ./proto/postconf.proto
*** /var/tmp/postfix-2.4.14/proto/postconf.proto Fri Jul 20 11:24:56 2007
--- ./proto/postconf.proto Tue Jun 15 19:38:04 2010
***************
*** 4637,4644 ****
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
! CA, otherwise all clients with a recognized certificate would be
! allowed to relay. This feature is available with Postfix version 2.2.
permit_tls_clientcerts
--- 4637,4647 ----
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
CA issues the certificates and only this CA is listed as trusted
! CA. Otherwise, clients with a third-party certificate would also
! be allowed to relay. Specify "tls_append_default_CA = no" when the
! trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
! to prevent Postfix from appending the system-supplied default CAs.
! This feature is available with Postfix version 2.2.
permit_tls_clientcerts
***************
*** 8226,8231 ****
--- 8229,8238 ----
certificates of other trusted CAs. You must use this file for the
list of trusted CAs if you want to use chroot-mode.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
Example:
***************
*** 8248,8253 ****
--- 8255,8264 ----
clients might not offer certificates issued by them. Use of this
feature is therefore not recommended.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
Example:
***************
*** 8581,8586 ****
--- 8592,8601 ----
needed only when the CA certificate is not already present in the
client certificate file.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
Example:
***************
*** 8600,8605 ****
--- 8615,8624 ----
To use this option in chroot mode, this directory (or a copy)
must be inside the chroot jail.
+ Specify "tls_append_default_CA = no" to prevent Postfix from
+ appending the system-supplied default CAs and trusting third-party
+ certificates.
+
Example:
***************
*** 8874,8879 ****
--- 8893,8911 ----
This feature is available in Postfix 2.2 and later.
+ %PARAM tls_append_default_CA no
+
+ Append the system-supplied default certificate authority
+ certificates to the ones specified with *_tls_CApath or *_tls_CAfile.
+ The default is "no"; this prevents Postfix from trusting third-party
+ certificates and giving them relay permission with
+ permit_tls_all_clientcerts.
+
+ This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8,
+ 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for
+ backwards compatibility, to avoid breaking certificate verification
+ with sites that don't use permit_tls_all_clientcerts.
+
%PARAM tls_random_exchange_name ${config_directory}/prng_exch
Name of the pseudo random number generator (PRNG) state file
diff -cr --new-file /var/tmp/postfix-2.4.14/src/global/mail_params.h ./src/global/mail_params.h
*** /var/tmp/postfix-2.4.14/src/global/mail_params.h Fri May 9 09:33:34 2008
--- ./src/global/mail_params.h Tue Jun 15 18:02:04 2010
***************
*** 593,598 ****
--- 593,602 ----
#define DEF_DUP_FILTER_LIMIT 1000
extern int var_dup_filter_limit;
+ #define VAR_TLS_APPEND_DEF_CA "tls_append_default_CA"
+ #define DEF_TLS_APPEND_DEF_CA 0 /* Postfix < 2.8 BC break */
+ extern bool var_tls_append_def_CA;
+
#define VAR_TLS_RAND_EXCH_NAME "tls_random_exchange_name"
#define DEF_TLS_RAND_EXCH_NAME "${config_directory}/prng_exch"
extern char *var_tls_rand_exch_name;
diff -cr --new-file /var/tmp/postfix-2.4.14/src/global/pipe_command.c ./src/global/pipe_command.c
*** /var/tmp/postfix-2.4.14/src/global/pipe_command.c Thu Dec 7 20:55:33 2006
--- ./src/global/pipe_command.c Wed Jul 14 15:26:14 2010
***************
*** 628,634 ****
*/
if (!NORMAL_EXIT_STATUS(wait_status)) {
if (WIFSIGNALED(wait_status)) {
! dsb_unix(why, "5.3.0", log_len ?
log_buf : sys_exits_detail(EX_SOFTWARE)->text,
"Command died with signal %d: \"%s\"%s%s",
WTERMSIG(wait_status), args.command,
--- 628,634 ----
*/
if (!NORMAL_EXIT_STATUS(wait_status)) {
if (WIFSIGNALED(wait_status)) {
! dsb_unix(why, "4.3.0", log_len ?
log_buf : sys_exits_detail(EX_SOFTWARE)->text,
"Command died with signal %d: \"%s\"%s%s",
WTERMSIG(wait_status), args.command,
diff -cr --new-file /var/tmp/postfix-2.4.14/src/smtp/lmtp_params.c ./src/smtp/lmtp_params.c
*** /var/tmp/postfix-2.4.14/src/smtp/lmtp_params.c Thu Oct 5 12:37:58 2006
--- ./src/smtp/lmtp_params.c Tue Jun 15 18:21:50 2010
***************
*** 94,99 ****
--- 94,100 ----
#ifdef USE_TLS
VAR_LMTP_TLS_ENFORCE_PN, DEF_LMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
VAR_LMTP_TLS_NOTEOFFER, DEF_LMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
+ VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
#endif
VAR_LMTP_SENDER_AUTH, DEF_LMTP_SENDER_AUTH, &var_smtp_sender_auth,
VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr,
diff -cr --new-file /var/tmp/postfix-2.4.14/src/smtp/smtp.c ./src/smtp/smtp.c
*** /var/tmp/postfix-2.4.14/src/smtp/smtp.c Fri Jul 20 11:25:24 2007
--- ./src/smtp/smtp.c Tue Jun 15 18:07:10 2010
***************
*** 704,709 ****
--- 704,710 ----
int var_smtp_tls_scert_vd;
char *var_smtp_tls_vfy_cmatch;
int var_tls_daemon_rand_bytes;
+ bool var_tls_append_def_CA;
#endif
diff -cr --new-file /var/tmp/postfix-2.4.14/src/smtp/smtp_params.c ./src/smtp/smtp_params.c
*** /var/tmp/postfix-2.4.14/src/smtp/smtp_params.c Thu Oct 5 12:37:40 2006
--- ./src/smtp/smtp_params.c Tue Jun 15 18:21:41 2010
***************
*** 98,103 ****
--- 98,104 ----
#ifdef USE_TLS
VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
+ VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
#endif
VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth,
VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
diff -cr --new-file /var/tmp/postfix-2.4.14/src/smtpd/smtpd.c ./src/smtpd/smtpd.c
*** /var/tmp/postfix-2.4.14/src/smtpd/smtpd.c Mon Mar 22 17:38:56 2010
--- ./src/smtpd/smtpd.c Mon Nov 22 15:26:50 2010
***************
*** 1082,1087 ****
--- 1082,1088 ----
int var_smtpd_tls_scache_timeout;
bool var_smtpd_tls_set_sessid;
int var_tls_daemon_rand_bytes;
+ bool var_tls_append_def_CA;
#endif
***************
*** 4014,4019 ****
--- 4015,4025 ----
}
/* XXX We use the real client for connect access control. */
if (state->access_denied && cmdp->action != quit_cmd) {
+ /* XXX Exception for Milter override. */
+ if (strncmp(state->access_denied + 1, "21", 2) == 0) {
+ smtpd_chat_reply(state, "%s", state->access_denied);
+ continue;
+ }
smtpd_chat_reply(state, "503 5.7.0 Error: access denied for %s",
state->namaddr); /* RFC 2821 Sec 3.1 */
state->error_count++;
***************
*** 4509,4514 ****
--- 4515,4521 ----
VAR_SMTPD_TLS_RCERT, DEF_SMTPD_TLS_RCERT, &var_smtpd_tls_req_ccert,
VAR_SMTPD_TLS_RECHEAD, DEF_SMTPD_TLS_RECHEAD, &var_smtpd_tls_received_header,
VAR_SMTPD_TLS_SET_SESSID, DEF_SMTPD_TLS_SET_SESSID, &var_smtpd_tls_set_sessid,
+ VAR_TLS_APPEND_DEF_CA, DEF_TLS_APPEND_DEF_CA, &var_tls_append_def_CA,
#endif
VAR_SMTPD_PEERNAME_LOOKUP, DEF_SMTPD_PEERNAME_LOOKUP, &var_smtpd_peername_lookup,
VAR_SMTPD_DELAY_OPEN, DEF_SMTPD_DELAY_OPEN, &var_smtpd_delay_open,
diff -cr --new-file /var/tmp/postfix-2.4.14/src/smtpd/smtpd_check.c ./src/smtpd/smtpd_check.c
*** /var/tmp/postfix-2.4.14/src/smtpd/smtpd_check.c Fri Aug 28 20:27:16 2009
--- ./src/smtpd/smtpd_check.c Mon Nov 22 10:13:16 2010
***************
*** 3684,3690 ****
name);
else {
cpp += 1;
! if (state->helo_name)
status = reject_rbl_domain(state, *cpp, state->helo_name,
SMTPD_NAME_HELO);
}
--- 3684,3691 ----
name);
else {
cpp += 1;
! if (state->helo_name
! && valid_hostname(state->helo_name, DONT_GRIPE))
status = reject_rbl_domain(state, *cpp, state->helo_name,
SMTPD_NAME_HELO);
}
diff -cr --new-file /var/tmp/postfix-2.4.14/src/smtpd/smtpd_proxy.c ./src/smtpd/smtpd_proxy.c
*** /var/tmp/postfix-2.4.14/src/smtpd/smtpd_proxy.c Sun Dec 3 14:52:42 2006
--- ./src/smtpd/smtpd_proxy.c Fri Aug 27 19:47:06 2010
***************
*** 302,307 ****
--- 302,310 ----
}
state->proxy = vstream_fdopen(fd, O_RDWR);
vstream_control(state->proxy, VSTREAM_CTL_PATH, service, VSTREAM_CTL_END);
+ /* Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE. */
+ if (connect_fn == inet_connect)
+ vstream_tweak_tcp(state->proxy);
smtp_timeout_setup(state->proxy, timeout);
/*
diff -cr --new-file /var/tmp/postfix-2.4.14/src/tls/Makefile.in ./src/tls/Makefile.in
*** /var/tmp/postfix-2.4.14/src/tls/Makefile.in Sat Mar 17 13:51:38 2007
--- ./src/tls/Makefile.in Wed Jul 7 05:24:09 2010
***************
*** 99,104 ****
--- 99,105 ----
tls_bio_ops.o: ../../include/vstring.h
tls_bio_ops.o: tls.h
tls_bio_ops.o: tls_bio_ops.c
+ tls_certkey.o: ../../include/mail_params.h
tls_certkey.o: ../../include/msg.h
tls_certkey.o: ../../include/name_code.h
tls_certkey.o: ../../include/name_mask.h
diff -cr --new-file /var/tmp/postfix-2.4.14/src/tls/tls_certkey.c ./src/tls/tls_certkey.c
*** /var/tmp/postfix-2.4.14/src/tls/tls_certkey.c Mon Jun 26 15:57:43 2006
--- ./src/tls/tls_certkey.c Tue Jun 15 18:02:04 2010
***************
*** 67,72 ****
--- 67,76 ----
#include
+ /* Global library. */
+
+ #include
+
/* TLS library. */
#define TLS_INTERNAL
***************
*** 87,93 ****
tls_print_errors();
return (-1);
}
! if (!SSL_CTX_set_default_verify_paths(ctx)) {
msg_info("cannot set certificate verification paths");
tls_print_errors();
return (-1);
--- 91,97 ----
tls_print_errors();
return (-1);
}
! if (var_tls_append_def_CA && !SSL_CTX_set_default_verify_paths(ctx)) {
msg_info("cannot set certificate verification paths");
tls_print_errors();
return (-1);