Commit Graph

38 Commits

Author SHA1 Message Date
Kurt Zeilenga
6053ed1058 ITS#903: validate hostname in server cert from Norbert Klasen
adapted as needed.
2000-11-22 20:23:38 +00:00
Kurt Zeilenga
511a84bc31 First cut of SASL/EXTERNAL 2000-10-31 23:00:35 +00:00
Kurt Zeilenga
edef4b2970 ITS#821: TLS data ready fix from <mattc@chartist.com> 2000-10-16 20:26:56 +00:00
Kurt Zeilenga
2cdbfd069b Add missing newlines 2000-10-05 18:30:06 +00:00
Kurt Zeilenga
778b665242 Fix up some free'ing. 2000-10-02 17:43:39 +00:00
Kurt Zeilenga
90d557402b Should modify code to bail on initialization errors...
For now, just (void) the return
2000-09-21 19:56:04 +00:00
Randy Kunkee
ab3be5d76d Include <ac/param.h> to pick up MAXPATHLEN. 2000-09-13 07:26:55 +00:00
Kurt Zeilenga
92c55c4454 Clean up 2000-09-13 01:12:47 +00:00
Kurt Zeilenga
d554a31b58 Move ldap_pvt_tls_init call to ldap_pvt_tls_start
Relax user-only options on TLS_RANDFILE and TLS_REQCERT
2000-09-13 00:54:45 +00:00
Kurt Zeilenga
2c30c90876 Rework TLS code (only supports default connection) 2000-09-12 00:30:05 +00:00
Kurt Zeilenga
5518aefda0 Change default to SSL_PEER_NONE (don't require peer certificate). 2000-09-01 23:24:17 +00:00
Kurt Zeilenga
a2afb207be Move ldap_start_tls_s() to tls.c 2000-08-25 02:16:15 +00:00
Howard Chu
0f8047b95e Implemented ldap_pvt_tls_get_peer() for use with SASL/EXTERNAL.
Added ldap_pvt_tls_get_strength() - return encryption strength, for
use as a SASL session security factor.
2000-08-16 23:27:41 +00:00
Kurt Zeilenga
5fc22599e2 Update SASL code to reuse context through life of session.
Replace 'negotiated' with 'interactive' bind
Add hooks for SASL/EXTERNAL
Disable SASL security layers
Rework SASL command line and config file parameters
2000-07-13 22:54:38 +00:00
Kurt Zeilenga
fe23628faa ITS#619: TLS PRNG initialization code
based upon patch provided by Ted C. Cheng <cheng@ix.netcom.com>
2000-07-08 22:17:50 +00:00
Kurt Zeilenga
0eb19657fa Add missing -DNO_THREADS trylock and make minor change to TLS
in attempt to get it work with GNU PTH.
2000-06-07 23:58:16 +00:00
Kurt Zeilenga
6ad1c45bd3 Use LDAP_VFREE and friends. Other misc code cleanup. 2000-06-07 05:17:29 +00:00
Kurt Zeilenga
2e0912622b ITS#537: lber io rewrite from Gambor Gombas.
Copyright 2000 Gábor Gombás. All rights reserved.
This is free software. You may redistribute and use it under the same
terms as OpenLDAP itself.
2000-06-01 20:59:21 +00:00
Kurt Zeilenga
29d9fa20a2 Y2k copyright update 2000-05-13 02:36:07 +00:00
Howard Chu
f0c4f83ea2 libldap/tls.c: change tls_verify_cb to no longer ignore verification errors.
This means a ldaps connection may drop before any LDAP protocol exchange
occurs (due to expired cert, unrecognized CAs, etc.).
  Change ldap_pvt_tls_connect to copy any TLS error string to ld_error upon
connection failure, otherwise client just sees "can't contact LDAP server."

slapd/connection.c: add flush/delay when SSL_accept fails, to allow any
TLS alerts we generated to propagate back to the client. (Which will then
be picked up by ldap_pvt_tls_connect on the client...)
2000-05-10 17:07:09 +00:00
Kurt Zeilenga
1a348f9fbe Return okay after setting LDAP_OPT_X_TLS_CERT (ITS#447) 2000-03-18 23:55:51 +00:00
Howard Chu
80f85e972d In ldap_pvt_tls_init() treat subsequent invocations as no-ops, not error.
In tls_verify_cb() use CRYPTO_free instead of free (necessary on NT due to
use of different heaps).
Changed update_flags to use SSL_get_error() to check success/status. This
fixes the problem of sb->sb_trans_needs_read getting set on dead sockets.
2000-01-15 19:03:16 +00:00
Mark Valence
a76c9f18a9 Start TLS extension: check that TLS was inited successfully, return default referral on failure as appropriate. 1999-12-10 19:18:33 +00:00
Mark Valence
454284f1ea Adds for Start TLS functionality on slapd and LDAP C API. 1999-12-09 22:33:22 +00:00
Mark Valence
15c83bef9d Changed ldap_pvt_tls_init_def_ctx() to not fail if there is no cacertfile/dir specified. This lets LDAP_OPT_X_TLS_REQUIRE_CERT=0 work. If LDAP_OPT_X_TLS_REQUIRE_CERT=1, connection will fail as appropriate since there is no CA list. 1999-12-06 04:44:22 +00:00
Mark Valence
a50cd075db Changes to make TLS work on Windows 1999-10-27 22:40:05 +00:00
Mark Valence
9e7243015c fixed LDAP_OPT_X_TLS case of ldap_pvt_tls_config().
ldap_pvt_tls_set_option() expects int* as third param.
1999-09-25 03:53:17 +00:00
Kurt Zeilenga
403f4479bc Add OpenLDAP RCSid to *.[ch] in clients, libraries, and servers.
Replace old Id as needed (back-tcl).
Leave updating of contribWare to contributors (for now).
1999-09-08 19:06:24 +00:00
Kurt Zeilenga
5c63fd55b5 Implement ldap_dn_normalize and friends. Should be used by clients
to validate input dn's BEFORE sending dn's to server.
Also fixed getfilter to use REG_EXTENDED|REG_NOSUB.  (and fixed one
case where REG_BASIC was still used).
s/strdup/LDAP_STRDUP/
Added ldap_pvt_str2lower/upper
1999-08-25 06:44:08 +00:00
Hallvard Furuseth
67ff28bf52 Include <ac/stdlib.h> instead of <stdlib.h> 1999-08-01 22:42:34 +00:00
Julio Sánchez Fernández
5f53b747a5 Partial support for a new option to help debug TLS connections,
not yet user-settable.  Defaults "on" for now.
Partial support for temporary RSA keys, skeleton for DH.
Add call to X509V3_add_standard_extensions() on init, mod_ssl
does this too, but I am unsure about what it does.
Move management of client CA certificates to a new routine, since
it is going to get more complex than the current code.
1999-07-21 19:18:08 +00:00
Julio Sánchez Fernández
e892ebfc5e Some content for tls_verify_cb where parts of our policy should
be implemented.

The rest of this change mostly contains random ideas taken from
mod_ssl.  The purpose is to get the repository in sync with the
code I am testing.  I still can't manage to make Netscape send
its certificate to slapd, though it works with Apache/mod_ssl
(with the same certificates).  Trying s_client against both
does not shed any light.  If anyone manages to make it work,
please let us know.
1999-07-20 18:31:53 +00:00
Julio Sánchez Fernández
85acec922f We were not remembering the allocated SSL thing in the Sockbuf.
Set flags without relying on errno (this change may be gratuitous
or wrong).
1999-07-16 15:46:15 +00:00
Julio Sánchez Fernández
7a64fcf7b3 Set ciphers from slapd.conf.
More error checking and reporting.
Slowly getting there, SSL_accept succeeds now, but connection breaks
immediately after that (my glue logic with slapd is broken).
1999-07-15 21:03:47 +00:00
Kurt Zeilenga
c7425738bb Add missing arg to Debug macro call 1999-07-15 20:00:05 +00:00
Julio Sánchez Fernández
41de66a0b2 New routine tls_report_error to analyze errors from OpenSSL
Change temporarily the default protocol from TLSv1 to SSLv3 with
fallback to SSLv2.  This seems necessary for slapd to accept connections
from Netscape.
Try to set the cipher list in the default context.  Does not semm to
work yet.
1999-07-15 14:59:09 +00:00
Kurt Zeilenga
cbb5553b03 Newer versions of OpenSSL install headers in $prefix/include/openssl... 1999-07-14 00:03:52 +00:00
Julio Sánchez Fernández
8f4f94d415 First version of TLS glue for SSLeay/OpenSSL originally written by
Bart Hartgers.  Untested.
1999-07-13 19:11:53 +00:00