From 4b6d44f6e9bd728b8568cc91ab02ba35e709104b Mon Sep 17 00:00:00 2001
From: Patrick Monnerat <patrick@monnerat.net>
Date: Sat, 30 Dec 2023 17:31:04 +0100
Subject: [PATCH] openldap: fix STARTTLS

It was not working anymore since introduction of connection filters.

Also do not attempt to recover from a failing TLS negotiation with
CURLUSESSL_TRY.

Closes #12610
---
 lib/openldap.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/lib/openldap.c b/lib/openldap.c
index fcc9f91f44..171a4c3ce8 100644
--- a/lib/openldap.c
+++ b/lib/openldap.c
@@ -793,10 +793,13 @@ static CURLcode oldap_connecting(struct Curl_easy *data, bool *done)
         result = oldap_perform_bind(data, OLDAP_BIND);
       break;
     }
+    result = Curl_ssl_cfilter_add(data, conn, FIRSTSOCKET);
+    if(result)
+      break;
     FALLTHROUGH();
   case OLDAP_TLS:
     result = oldap_ssl_connect(data, OLDAP_TLS);
-    if(result && data->set.use_ssl != CURLUSESSL_TRY)
+    if(result)
       result = oldap_map_error(code, CURLE_USE_SSL_FAILED);
     else if(ssl_installed(conn)) {
       conn->bits.tls_upgraded = TRUE;