ITS#9711 fix TLS ctx init for tools

The code to initialize the TLS context was being bypassed by tool startup,
causing tools to get the wrong default setting. Move it earlier to avoid
being bypassed.
This commit is contained in:
Howard Chu 2021-09-30 19:17:38 +01:00 committed by Quanah Gibson-Mount
parent 447a47a691
commit 1a6e4b7dcd

View File

@ -403,6 +403,20 @@ int main( int argc, char **argv )
(void) ldap_pvt_thread_initialize(); (void) ldap_pvt_thread_initialize();
#ifdef HAVE_TLS
rc = ldap_create( &slap_tls_ld );
if ( rc ) {
MAIN_RETURN( rc );
}
/* Library defaults to full certificate checking. This is correct when
* a client is verifying a server because all servers should have a
* valid cert. But few clients have valid certs, so we want our default
* to be no checking. The config file can override this as usual.
*/
rc = LDAP_OPT_X_TLS_NEVER;
(void) ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &rc );
#endif
serverName = lutil_progname( "slapd", argc, argv ); serverName = lutil_progname( "slapd", argc, argv );
if ( strcmp( serverName, "slapd" ) ) { if ( strcmp( serverName, "slapd" ) ) {
@ -782,21 +796,6 @@ unhandled_option:;
extops_init(); extops_init();
lutil_passwd_init(); lutil_passwd_init();
#ifdef HAVE_TLS
rc = ldap_create( &slap_tls_ld );
if ( rc ) {
SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 );
goto destroy;
}
/* Library defaults to full certificate checking. This is correct when
* a client is verifying a server because all servers should have a
* valid cert. But few clients have valid certs, so we want our default
* to be no checking. The config file can override this as usual.
*/
rc = LDAP_OPT_X_TLS_NEVER;
(void) ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &rc );
#endif
rc = slap_init( serverMode, serverName ); rc = slap_init( serverMode, serverName );
if ( rc ) { if ( rc ) {
SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 18 ); SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 18 );