diff --git a/include/ldap_pvt.h b/include/ldap_pvt.h index 0ed0563b0d..54246b402f 100644 --- a/include/ldap_pvt.h +++ b/include/ldap_pvt.h @@ -235,7 +235,7 @@ LDAP_F (int) ldap_pvt_tls_set_option LDAP_P(( struct ldap *ld, LDAP_F (void) ldap_pvt_tls_destroy LDAP_P(( void )); LDAP_F (int) ldap_pvt_tls_init LDAP_P(( void )); -LDAP_F (int) ldap_pvt_tls_init_def_ctx LDAP_P(( void )); +LDAP_F (int) ldap_pvt_tls_init_def_ctx LDAP_P(( int is_server )); LDAP_F (int) ldap_pvt_tls_accept LDAP_P(( Sockbuf *sb, void *ctx_arg )); LDAP_F (int) ldap_pvt_tls_inplace LDAP_P(( Sockbuf *sb )); LDAP_F (void *) ldap_pvt_tls_sb_ctx LDAP_P(( Sockbuf *sb )); diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index 8eb01290cd..442db48655 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -200,7 +200,7 @@ ldap_pvt_tls_init( void ) * initialize the default context */ int -ldap_pvt_tls_init_def_ctx( void ) +ldap_pvt_tls_init_def_ctx( int is_server ) { STACK_OF(X509_NAME) *calist; int rc = 0; @@ -215,7 +215,7 @@ ldap_pvt_tls_init_def_ctx( void ) ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex ); #endif - if ( !certfile && !keyfile && !cacertfile && !cacertdir ) { + if ( is_server && !certfile && !keyfile && !cacertfile && !cacertdir ) { /* minimum configuration not provided */ #ifdef LDAP_R_COMPILE ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex ); @@ -441,7 +441,7 @@ get_ca_list( char * bundle, char * dir ) } static SSL * -alloc_handle( void *ctx_arg ) +alloc_handle( void *ctx_arg, int is_server ) { SSL_CTX *ctx; SSL *ssl; @@ -449,7 +449,7 @@ alloc_handle( void *ctx_arg ) if ( ctx_arg ) { ctx = (SSL_CTX *) ctx_arg; } else { - if ( ldap_pvt_tls_init_def_ctx() < 0 ) return NULL; + if ( ldap_pvt_tls_init_def_ctx( is_server ) < 0 ) return NULL; ctx = tls_def_ctx; } @@ -769,7 +769,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn ) lo = &ld->ld_options; ctx = lo->ldo_tls_ctx; - ssl = alloc_handle( ctx ); + ssl = alloc_handle( ctx, 0 ); if ( ssl == NULL ) return -1; @@ -842,7 +842,7 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg ) ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl ); } else { - ssl = alloc_handle( ctx_arg ); + ssl = alloc_handle( ctx_arg, 1 ); if ( ssl == NULL ) return -1; #ifdef LDAP_DEBUG diff --git a/servers/slapd/main.c b/servers/slapd/main.c index b32e60e4d2..f74bc4f231 100644 --- a/servers/slapd/main.c +++ b/servers/slapd/main.c @@ -668,7 +668,7 @@ unhandled_option:; /* Force new ctx to be created */ ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, NULL ); - rc = ldap_pvt_tls_init_def_ctx(); + rc = ldap_pvt_tls_init_def_ctx( 1 ); if( rc == 0 ) { ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx ); /* Restore previous ctx */ diff --git a/servers/slurpd/main.c b/servers/slurpd/main.c index ccd75e7ed0..33dcd9b842 100644 --- a/servers/slurpd/main.c +++ b/servers/slurpd/main.c @@ -155,7 +155,7 @@ int main( int argc, char **argv ) } #ifdef HAVE_TLS - if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx() ) { + if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx( 0 ) ) { rc = 0; /* See if we actually need TLS */ for ( i=0; i < sglob->num_replicas; i++ ) {