Kurt Zeilenga
943800a534
We "understand" localhost to be same as the local hostname as
...
returned by gethostname().
2001-12-17 23:56:16 +00:00
Howard Chu
88e3454654
Add #include <openssl/safestack.h> to fix ITS#1412
2001-11-30 02:37:39 +00:00
Howard Chu
33ace5610c
Added ldap_pvt_tls_destroy() to cleanup TLS library on shutdown
2001-11-06 20:52:59 +00:00
Pierangelo Masarati
192f83540c
missing leading quote
2001-10-25 18:56:06 +00:00
Kurt Zeilenga
187f190fb6
Don't pass NULL string pointers to Debug
2001-10-25 18:32:59 +00:00
Kurt Zeilenga
7a4b9e3c32
Minor cleanup
2001-09-18 17:35:47 +00:00
Howard Chu
e4d8a87ddc
Silence some typecast warnings
2001-09-18 05:22:53 +00:00
Howard Chu
966616b274
Don't pass NULL hostname to ldap_pvt_tls_check_hostname, use "localhost"
2001-09-18 05:19:55 +00:00
Kurt Zeilenga
241d6a558e
Remove dead code
2001-09-09 04:47:03 +00:00
Kurt Zeilenga
553d80cedd
Blindly fix TLS/SASL external interaction.
2001-09-09 03:42:26 +00:00
Kurt Zeilenga
05c9d4bfda
Fix TLS ldap.conf issues
2001-09-05 21:22:41 +00:00
Howard Chu
f3501cbf50
Fix ldap_int_tls_start to set its error codes in ld->ld_errno.
2001-09-02 12:06:41 +00:00
Howard Chu
b10e0029a5
Full implementation of server identity checking per RFC2830 section 3.6
2001-09-02 11:23:28 +00:00
Howard Chu
44a3160fec
Remove redundant call of SSL_set_info_callback, to allow users
...
to override it in the SSL_CTX.
2001-08-29 20:28:08 +00:00
Kurt Zeilenga
05960887bb
Fix -H ldaps:// crashes due to rework of TLS code
2001-08-27 20:22:28 +00:00
Kurt Zeilenga
16fa8c4a21
Fix bug introduced during TLS rework
2001-08-02 04:20:11 +00:00
Kurt Zeilenga
77f776dfd1
Another round of TLS updates to support secure referral chasing
2001-06-25 19:17:42 +00:00
Kurt Zeilenga
350ffe6d15
Rework tls check
...
Needs to be connection specific
2001-06-25 18:20:14 +00:00
Kurt Zeilenga
c4f5497ac6
move TLS ctx to lconn struct in prep for supporting TLS with referrals
...
need to rework cert check to use per lconn host name
2001-06-25 07:33:42 +00:00
Kurt Zeilenga
4a23c08678
Fix up error handling
2001-06-22 21:01:04 +00:00
Kurt Zeilenga
deb9644a8a
Should not be using reverse lookup names to check certificates.
2001-05-19 23:07:46 +00:00
Kurt Zeilenga
c0a06f25c2
Add ldap_pvt_tls_get_peer_dn() routine. Returns peer as an LDAP DN.
2001-01-18 00:40:58 +00:00
Kurt Zeilenga
1d1c1edf44
update rand file after use
2001-01-10 21:14:13 +00:00
Kurt Zeilenga
6053ed1058
ITS#903: validate hostname in server cert from Norbert Klasen
...
adapted as needed.
2000-11-22 20:23:38 +00:00
Kurt Zeilenga
511a84bc31
First cut of SASL/EXTERNAL
2000-10-31 23:00:35 +00:00
Kurt Zeilenga
edef4b2970
ITS#821: TLS data ready fix from <mattc@chartist.com>
2000-10-16 20:26:56 +00:00
Kurt Zeilenga
2cdbfd069b
Add missing newlines
2000-10-05 18:30:06 +00:00
Kurt Zeilenga
778b665242
Fix up some free'ing.
2000-10-02 17:43:39 +00:00
Kurt Zeilenga
90d557402b
Should modify code to bail on initialization errors...
...
For now, just (void) the return
2000-09-21 19:56:04 +00:00
Randy Kunkee
ab3be5d76d
Include <ac/param.h> to pick up MAXPATHLEN.
2000-09-13 07:26:55 +00:00
Kurt Zeilenga
92c55c4454
Clean up
2000-09-13 01:12:47 +00:00
Kurt Zeilenga
d554a31b58
Move ldap_pvt_tls_init call to ldap_pvt_tls_start
...
Relax user-only options on TLS_RANDFILE and TLS_REQCERT
2000-09-13 00:54:45 +00:00
Kurt Zeilenga
2c30c90876
Rework TLS code (only supports default connection)
2000-09-12 00:30:05 +00:00
Kurt Zeilenga
5518aefda0
Change default to SSL_PEER_NONE (don't require peer certificate).
2000-09-01 23:24:17 +00:00
Kurt Zeilenga
a2afb207be
Move ldap_start_tls_s() to tls.c
2000-08-25 02:16:15 +00:00
Howard Chu
0f8047b95e
Implemented ldap_pvt_tls_get_peer() for use with SASL/EXTERNAL.
...
Added ldap_pvt_tls_get_strength() - return encryption strength, for
use as a SASL session security factor.
2000-08-16 23:27:41 +00:00
Kurt Zeilenga
5fc22599e2
Update SASL code to reuse context through life of session.
...
Replace 'negotiated' with 'interactive' bind
Add hooks for SASL/EXTERNAL
Disable SASL security layers
Rework SASL command line and config file parameters
2000-07-13 22:54:38 +00:00
Kurt Zeilenga
fe23628faa
ITS#619: TLS PRNG initialization code
...
based upon patch provided by Ted C. Cheng <cheng@ix.netcom.com>
2000-07-08 22:17:50 +00:00
Kurt Zeilenga
0eb19657fa
Add missing -DNO_THREADS trylock and make minor change to TLS
...
in attempt to get it work with GNU PTH.
2000-06-07 23:58:16 +00:00
Kurt Zeilenga
6ad1c45bd3
Use LDAP_VFREE and friends. Other misc code cleanup.
2000-06-07 05:17:29 +00:00
Kurt Zeilenga
2e0912622b
ITS#537: lber io rewrite from Gambor Gombas.
...
Copyright 2000 Gábor Gombás. All rights reserved.
This is free software. You may redistribute and use it under the same
terms as OpenLDAP itself.
2000-06-01 20:59:21 +00:00
Kurt Zeilenga
29d9fa20a2
Y2k copyright update
2000-05-13 02:36:07 +00:00
Howard Chu
f0c4f83ea2
libldap/tls.c: change tls_verify_cb to no longer ignore verification errors.
...
This means a ldaps connection may drop before any LDAP protocol exchange
occurs (due to expired cert, unrecognized CAs, etc.).
Change ldap_pvt_tls_connect to copy any TLS error string to ld_error upon
connection failure, otherwise client just sees "can't contact LDAP server."
slapd/connection.c: add flush/delay when SSL_accept fails, to allow any
TLS alerts we generated to propagate back to the client. (Which will then
be picked up by ldap_pvt_tls_connect on the client...)
2000-05-10 17:07:09 +00:00
Kurt Zeilenga
1a348f9fbe
Return okay after setting LDAP_OPT_X_TLS_CERT (ITS#447)
2000-03-18 23:55:51 +00:00
Howard Chu
80f85e972d
In ldap_pvt_tls_init() treat subsequent invocations as no-ops, not error.
...
In tls_verify_cb() use CRYPTO_free instead of free (necessary on NT due to
use of different heaps).
Changed update_flags to use SSL_get_error() to check success/status. This
fixes the problem of sb->sb_trans_needs_read getting set on dead sockets.
2000-01-15 19:03:16 +00:00
Mark Valence
a76c9f18a9
Start TLS extension: check that TLS was inited successfully, return default referral on failure as appropriate.
1999-12-10 19:18:33 +00:00
Mark Valence
454284f1ea
Adds for Start TLS functionality on slapd and LDAP C API.
1999-12-09 22:33:22 +00:00
Mark Valence
15c83bef9d
Changed ldap_pvt_tls_init_def_ctx() to not fail if there is no cacertfile/dir specified. This lets LDAP_OPT_X_TLS_REQUIRE_CERT=0 work. If LDAP_OPT_X_TLS_REQUIRE_CERT=1, connection will fail as appropriate since there is no CA list.
1999-12-06 04:44:22 +00:00
Mark Valence
a50cd075db
Changes to make TLS work on Windows
1999-10-27 22:40:05 +00:00
Mark Valence
9e7243015c
fixed LDAP_OPT_X_TLS case of ldap_pvt_tls_config().
...
ldap_pvt_tls_set_option() expects int* as third param.
1999-09-25 03:53:17 +00:00