mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
ITS#4082 tls ctx requirements are only applicable to servers, or clients
with tls_opt_require_cert = TRY or DEMAND. Ignore requirements for clients.
This commit is contained in:
parent
419d2925b1
commit
146b2c5389
@ -235,7 +235,7 @@ LDAP_F (int) ldap_pvt_tls_set_option LDAP_P(( struct ldap *ld,
|
||||
|
||||
LDAP_F (void) ldap_pvt_tls_destroy LDAP_P(( void ));
|
||||
LDAP_F (int) ldap_pvt_tls_init LDAP_P(( void ));
|
||||
LDAP_F (int) ldap_pvt_tls_init_def_ctx LDAP_P(( void ));
|
||||
LDAP_F (int) ldap_pvt_tls_init_def_ctx LDAP_P(( int is_server ));
|
||||
LDAP_F (int) ldap_pvt_tls_accept LDAP_P(( Sockbuf *sb, void *ctx_arg ));
|
||||
LDAP_F (int) ldap_pvt_tls_inplace LDAP_P(( Sockbuf *sb ));
|
||||
LDAP_F (void *) ldap_pvt_tls_sb_ctx LDAP_P(( Sockbuf *sb ));
|
||||
|
@ -200,7 +200,7 @@ ldap_pvt_tls_init( void )
|
||||
* initialize the default context
|
||||
*/
|
||||
int
|
||||
ldap_pvt_tls_init_def_ctx( void )
|
||||
ldap_pvt_tls_init_def_ctx( int is_server )
|
||||
{
|
||||
STACK_OF(X509_NAME) *calist;
|
||||
int rc = 0;
|
||||
@ -215,7 +215,7 @@ ldap_pvt_tls_init_def_ctx( void )
|
||||
ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
|
||||
#endif
|
||||
|
||||
if ( !certfile && !keyfile && !cacertfile && !cacertdir ) {
|
||||
if ( is_server && !certfile && !keyfile && !cacertfile && !cacertdir ) {
|
||||
/* minimum configuration not provided */
|
||||
#ifdef LDAP_R_COMPILE
|
||||
ldap_pvt_thread_mutex_unlock( &tls_def_ctx_mutex );
|
||||
@ -441,7 +441,7 @@ get_ca_list( char * bundle, char * dir )
|
||||
}
|
||||
|
||||
static SSL *
|
||||
alloc_handle( void *ctx_arg )
|
||||
alloc_handle( void *ctx_arg, int is_server )
|
||||
{
|
||||
SSL_CTX *ctx;
|
||||
SSL *ssl;
|
||||
@ -449,7 +449,7 @@ alloc_handle( void *ctx_arg )
|
||||
if ( ctx_arg ) {
|
||||
ctx = (SSL_CTX *) ctx_arg;
|
||||
} else {
|
||||
if ( ldap_pvt_tls_init_def_ctx() < 0 ) return NULL;
|
||||
if ( ldap_pvt_tls_init_def_ctx( is_server ) < 0 ) return NULL;
|
||||
ctx = tls_def_ctx;
|
||||
}
|
||||
|
||||
@ -769,7 +769,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
|
||||
lo = &ld->ld_options;
|
||||
ctx = lo->ldo_tls_ctx;
|
||||
|
||||
ssl = alloc_handle( ctx );
|
||||
ssl = alloc_handle( ctx, 0 );
|
||||
|
||||
if ( ssl == NULL ) return -1;
|
||||
|
||||
@ -842,7 +842,7 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
|
||||
ber_sockbuf_ctrl( sb, LBER_SB_OPT_GET_SSL, (void *)&ssl );
|
||||
|
||||
} else {
|
||||
ssl = alloc_handle( ctx_arg );
|
||||
ssl = alloc_handle( ctx_arg, 1 );
|
||||
if ( ssl == NULL ) return -1;
|
||||
|
||||
#ifdef LDAP_DEBUG
|
||||
|
@ -668,7 +668,7 @@ unhandled_option:;
|
||||
/* Force new ctx to be created */
|
||||
ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, NULL );
|
||||
|
||||
rc = ldap_pvt_tls_init_def_ctx();
|
||||
rc = ldap_pvt_tls_init_def_ctx( 1 );
|
||||
if( rc == 0 ) {
|
||||
ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx );
|
||||
/* Restore previous ctx */
|
||||
|
@ -155,7 +155,7 @@ int main( int argc, char **argv )
|
||||
}
|
||||
|
||||
#ifdef HAVE_TLS
|
||||
if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx() ) {
|
||||
if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx( 0 ) ) {
|
||||
rc = 0;
|
||||
/* See if we actually need TLS */
|
||||
for ( i=0; i < sglob->num_replicas; i++ ) {
|
||||
|
Loading…
Reference in New Issue
Block a user