From 1a6e4b7dcd9e741c412cb3e40655a01b69413484 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Thu, 30 Sep 2021 19:17:38 +0100 Subject: [PATCH] ITS#9711 fix TLS ctx init for tools The code to initialize the TLS context was being bypassed by tool startup, causing tools to get the wrong default setting. Move it earlier to avoid being bypassed. --- servers/slapd/main.c | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/servers/slapd/main.c b/servers/slapd/main.c index fff83b7c2d..e59117e2f3 100644 --- a/servers/slapd/main.c +++ b/servers/slapd/main.c @@ -403,6 +403,20 @@ int main( int argc, char **argv ) (void) ldap_pvt_thread_initialize(); +#ifdef HAVE_TLS + rc = ldap_create( &slap_tls_ld ); + if ( rc ) { + MAIN_RETURN( rc ); + } + /* Library defaults to full certificate checking. This is correct when + * a client is verifying a server because all servers should have a + * valid cert. But few clients have valid certs, so we want our default + * to be no checking. The config file can override this as usual. + */ + rc = LDAP_OPT_X_TLS_NEVER; + (void) ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &rc ); +#endif + serverName = lutil_progname( "slapd", argc, argv ); if ( strcmp( serverName, "slapd" ) ) { @@ -782,21 +796,6 @@ unhandled_option:; extops_init(); lutil_passwd_init(); -#ifdef HAVE_TLS - rc = ldap_create( &slap_tls_ld ); - if ( rc ) { - SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 ); - goto destroy; - } - /* Library defaults to full certificate checking. This is correct when - * a client is verifying a server because all servers should have a - * valid cert. But few clients have valid certs, so we want our default - * to be no checking. The config file can override this as usual. - */ - rc = LDAP_OPT_X_TLS_NEVER; - (void) ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &rc ); -#endif - rc = slap_init( serverMode, serverName ); if ( rc ) { SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 18 );