← Back to branch summary

~ius-coredev/ius/openldap24

« back to all changes in this revision

Viewing changes to SOURCES/openldap-nss-reqcert-hostname.patch

  • Committer: Jeffrey Ness
  • Date: 2012-08-15 18:21:06 UTC
  • Revision ID: jeffrey.ness@rackspace.com-20120815182106-fifa0yp2oe0u3tsw
first

Show diffs side-by-side

added added

removed removed

Lines of Context:
SOURCES/openldap-nss-reqcert-hostname.patch
 
1
Do not check server hostname when TLS_REQCERT is 'allow'.
 
2
 
 
3
If server certificate hostname does not match the server hostname,
 
4
connection is closed even if client has set TLS_REQCERT to 'allow'. This
 
5
is wrong - the documentation says, that bad certificates are being
 
6
ignored when TLS_REQCERT is set to 'allow'.
 
7
 
 
8
Author: Jan Vcelak <jvcelak@redhat.com>
 
9
Upstream ITS: #7014
 
10
Resolves: #729095
 
11
 
 
12
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
 
13
index f38db27..3f05c1e 100644
 
14
--- a/libraries/libldap/tls2.c
 
15
+++ b/libraries/libldap/tls2.c
 
16
@@ -838,7 +838,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
 
17
        /* 
 
18
         * compare host with name(s) in certificate
 
19
         */
 
20
-       if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER) {
 
21
+       if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
 
22
+           ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
 
23
                ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
 
24
                if (ld->ld_errno != LDAP_SUCCESS) {
 
25
                        return ld->ld_errno;
 
26
-- 
 
27
1.7.6
 
28