Set ciphers from slapd.conf.

More error checking and reporting. Slowly getting there, SSL_accept succeeds now, but connection breaks immediately after that (my glue logic with slapd is broken).
2025-01-24 13:24:56 +08:00 · 1999-07-15 21:03:47 +00:00 · 1999-07-15 21:03:47 +00:00 · 7a64fcf7b3
commit 7a64fcf7b3
parent 27bcfd696d
1 changed files with 22 additions and 3 deletions
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@ -35,6 +35,7 @@ static char *tls_opt_keyfile = NULL;
 static char *tls_opt_cacertfile = NULL;
 static char *tls_opt_cacertdir = NULL;
 static int  tls_opt_require_cert = 0;
+static char *tls_opt_ciphersuite = NULL;

 #define HAS_TLS( sb ) ((sb)->sb_io==&tls_io)

@ -127,10 +128,12 @@ ldap_pvt_tls_init_def_ctx( void )
 			       "TLS: could not allocate default ctx.\n",0,0,0);
 			goto error_exit;
 		}
-		if ( !SSL_CTX_set_cipher_list( tls_def_ctx,
-			"RC4+RSA:HIGH:MEDIUM:LOW:EXP:+SSLv2:+EXP" ) ) {
+		if ( tls_opt_ciphersuite &&
+		     !SSL_CTX_set_cipher_list( tls_def_ctx,
+			tls_opt_ciphersuite ) ) {
 			Debug( LDAP_DEBUG_ANY,
-			       "TLS: could not set cipher list.\n", 0, 0, 0 );
+			       "TLS: could not set cipher list %s.\n",
+			       tls_opt_ciphersuite, 0, 0 );
 			tls_report_error();
 			goto error_exit;
 		}
@ -141,6 +144,7 @@ ldap_pvt_tls_init_def_ctx( void )
 			Debug( LDAP_DEBUG_ANY,
 	 	"TLS: could not load verify locations (file:`%s',dir:`%s').\n",
 			       tls_opt_cacertfile,tls_opt_cacertdir,0);
+			tls_report_error();
 			goto error_exit;
 		}
 		if ( tls_opt_keyfile &&
@ -150,6 +154,7 @@ ldap_pvt_tls_init_def_ctx( void )
 			Debug( LDAP_DEBUG_ANY,
 			       "TLS: could not use key file `%s'.\n",
 			       tls_opt_keyfile,0,0);
+			tls_report_error();
 			goto error_exit;
 		}
 		if ( tls_opt_certfile &&
@ -159,6 +164,15 @@ ldap_pvt_tls_init_def_ctx( void )
 			Debug( LDAP_DEBUG_ANY,
 			       "TLS: could not use certificate `%s'.\n",
 			       tls_opt_certfile,0,0);
+			tls_report_error();
+			goto error_exit;
+		}
+		if ( ( tls_opt_certfile || tls_opt_keyfile ) &&
+		     !SSL_CTX_check_private_key( tls_def_ctx ) ) {
+			Debug( LDAP_DEBUG_ANY,
+			       "TLS: private key mismatch.\n",
+			       0,0,0);
+			tls_report_error();
 			goto error_exit;
 		}
 		SSL_CTX_set_verify( tls_def_ctx, (tls_opt_require_cert) ?
@ -433,6 +447,11 @@ ldap_pvt_tls_set_option( struct ldapoptions *lo, int option, void *arg )
 		break;
 	case LDAP_OPT_X_TLS_REQUIRE_CERT:
 		tls_opt_require_cert = * (int *) arg;
+		break;
+	case LDAP_OPT_X_TLS_CIPHER_SUITE:
+		if ( tls_opt_ciphersuite ) free( tls_opt_ciphersuite );
+		tls_opt_ciphersuite = arg ? strdup( (char *) arg ) : NULL;
+		break;
 	default:
 		return -1;
 	}