ITS#9711 fix TLS ctx init for tools

The code to initialize the TLS context was being bypassed by tool startup, causing tools to get the wrong default setting. Move it earlier to avoid being bypassed.
2025-01-18 11:05:48 +08:00 · 2021-09-30 19:17:38 +01:00 · 2021-09-30 19:17:38 +01:00 · 1a6e4b7dcd
commit 1a6e4b7dcd
parent 447a47a691
1 changed files with 14 additions and 15 deletions
--- a/servers/slapd/main.c
+++ b/servers/slapd/main.c
@ -403,6 +403,20 @@ int main( int argc, char **argv )

 	(void) ldap_pvt_thread_initialize();

+#ifdef HAVE_TLS
+	rc = ldap_create( &slap_tls_ld );
+	if ( rc ) {
+		MAIN_RETURN( rc );
+	}
+	/* Library defaults to full certificate checking. This is correct when
+	 * a client is verifying a server because all servers should have a
+	 * valid cert. But few clients have valid certs, so we want our default
+	 * to be no checking. The config file can override this as usual.
+	 */
+	rc = LDAP_OPT_X_TLS_NEVER;
+	(void) ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &rc );
+#endif
+
 	serverName = lutil_progname( "slapd", argc, argv );

 	if ( strcmp( serverName, "slapd" ) ) {
@ -782,21 +796,6 @@ unhandled_option:;
 	extops_init();
 	lutil_passwd_init();

-#ifdef HAVE_TLS
-	rc = ldap_create( &slap_tls_ld );
-	if ( rc ) {
-		SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 );
-		goto destroy;
-	}
-	/* Library defaults to full certificate checking. This is correct when
-	 * a client is verifying a server because all servers should have a
-	 * valid cert. But few clients have valid certs, so we want our default
-	 * to be no checking. The config file can override this as usual.
-	 */
-	rc = LDAP_OPT_X_TLS_NEVER;
-	(void) ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &rc );
-#endif
-
 	rc = slap_init( serverMode, serverName );
 	if ( rc ) {
 		SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 18 );