mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
ITS#7014 TLS: don't check hostname if reqcert is 'allow'
If server certificate hostname does not match the server hostname, connection is closed even if client has set TLS_REQCERT to 'allow'. This is wrong - the documentation says, that bad certificates are being ignored when TLS_REQCERT is set to 'allow'.
This commit is contained in:
parent
fdb3443366
commit
3dae953fd6
@ -838,7 +838,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
|
||||
/*
|
||||
* compare host with name(s) in certificate
|
||||
*/
|
||||
if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER) {
|
||||
if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
|
||||
ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
|
||||
ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
|
||||
if (ld->ld_errno != LDAP_SUCCESS) {
|
||||
return ld->ld_errno;
|
||||
|
Loading…
Reference in New Issue
Block a user