ref: e1201b57f3e37d06589578280251d5b54e490317
parent: cbb5cf55fcf24dd00ef505d7c9267e535fe1d87a
author: flowerss@cranky.ca <flowerss@cranky.ca>
date: Thu Jan 8 17:37:50 EST 2026
upas/fs: ignore bad thumbprints for TLS connections. upas/smtp has the -C switch to cause it to log and ignore bad thumbprints for tls certificates in smtp connections but upas/fs did not have this switch. Given that many mail providers's TLS certificates are expiring more frequently recently, this is a hassle. This patch adds the -C switch to upas/fs and works the same way as for upas/smtp. I have also made a patch for upasfs(4), adding the -C switch. I have tested this with my imaps accounts, but not for pop tls. Patch for upas/fs
--- a/sys/src/cmd/upas/fs/dat.h
+++ b/sys/src/cmd/upas/fs/dat.h
@@ -220,6 +220,7 @@
void digestmessage(Mailbox*, Message*);
int wraptls(int, char*);
+int nocertcheck;
void eprint(char*, ...);
void iprint(char *, ...);
--- a/sys/src/cmd/upas/fs/fs.c
+++ b/sys/src/cmd/upas/fs/fs.c
@@ -308,6 +308,9 @@
case 's':
srvpost = 1;
break;
+ case 'C':
+ nocertcheck = 1;
+ break;
default:
usage();
}ARGEND
--- a/sys/src/cmd/upas/fs/tls.c
+++ b/sys/src/cmd/upas/fs/tls.c
@@ -17,6 +17,10 @@
close(ofd);
return -1;
}
+ if (nocertcheck) {+ syslog(0, "mail", "ignoring cert for %s", host);
+ return fd;
+ }
thumb = initThumbprints("/sys/lib/tls/mail", "/sys/lib/tls/mail.exclude", "x509"); if(thumb != nil){ if(!okCertificate(conn.cert, conn.certlen, thumb)){--
⑨