From 49bc36b4e2b59587d4ae87fd04fc2d2c1eac9d81 Mon Sep 17 00:00:00 2001
From: rswindell <>
Date: Mon, 11 Jun 2018 20:00:33 +0000
Subject: [PATCH] Added log output for a couple of instances where
 get_ssl_cert() could (previuosly) silently fail - in the sendmail_negotiate()
 and pop3_thread(). If get_ssl_cert() can return -1 withOUT setting the estr
 argument to a non-NULL value, then we could still have silent failures (TBD).

---
 src/sbbs3/mailsrvr.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/src/sbbs3/mailsrvr.c b/src/sbbs3/mailsrvr.c
index 7215f0b3ef..70d490afee 100644
--- a/src/sbbs3/mailsrvr.c
+++ b/src/sbbs3/mailsrvr.c
@@ -1132,7 +1132,11 @@ static void pop3_thread(void* arg)
 				i++;
 			}
 			else if (!stricmp(buf, "STLS")) {
-				if (get_ssl_cert(&scfg, NULL, NULL) == -1) {
+				if (get_ssl_cert(&scfg, &estr, &level) == -1) {
+					if (estr) {
+						lprintf(level, "%04d !POP3/TLS Failure getting certificate: %s", socket, estr);
+						free_crypt_attrstr(estr);
+					}
 					sockprintf(socket,session,"-ERR STLS command not supported");
 					continue;
 				}
@@ -5088,7 +5092,16 @@ static SOCKET sendmail_negotiate(CRYPT_SESSION *session, smb_t *smb, smbmsg_t *m
 				return sock;
 			case 1:
 				/* We NEVER bounce() because of TLS errors, so we don't need to set err */
-				if ((!tls_retry) && get_ssl_cert(&scfg, NULL, NULL) != -1) {
+				if (!tls_retry) {
+					char* estr = NULL;
+					int level;
+					if(get_ssl_cert(&scfg, &estr, &level) == -1) {
+						if (estr) {
+							lprintf(level, "%04d !SEND/TLS %s", sock, estr);
+							free_crypt_attrstr(estr);
+						}
+						continue;
+					}
 					sockprintf(sock, *session, "STARTTLS");
 					if (sockgetrsp(sock, *session, "220", buf, sizeof(buf))) {
 						if ((status=cryptCreateSession(session, CRYPT_UNUSED, CRYPT_SESSION_SSL)) != CRYPT_OK) {
-- 
GitLab