summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTodd Lyons <tlyons@exim.org>2013-09-10 14:09:51 -0700
committerTodd Lyons <tlyons@exim.org>2013-09-22 09:22:48 -0700
commit33382dd9537a16c676e07632e122c0112855d5c3 (patch)
tree9bd29c4a2eb6b845c9f801ec984cb969f5f549fe
parenta30a8861ef512a88394517f713f1e66b486e5c7c (diff)
Bug 1287 - Fix tls_require_cert
-rw-r--r--doc/doc-txt/ChangeLog5
-rw-r--r--src/src/lookups/ldap.c35
2 files changed, 37 insertions, 3 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9d9f17d5b..61cd6f02b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -223,6 +223,11 @@ TL/09 Add expansion variable $authenticated_fail_id to keep track of
TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by
Alexander Miroch.
+TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls
+ ldap library initialization, allowing self-signed CA's to be
+ used. Also properly sets require_cert option later in code by
+ using NULL (global ldap config) instead of ldap handle (per
+ session). Bug diagnosis and testing by alxgomz.
Exim version 4.80.1
-------------------
diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c
index f121bce61..bb29b43af 100644
--- a/src/src/lookups/ldap.c
+++ b/src/src/lookups/ldap.c
@@ -416,15 +416,43 @@ if (lcp == NULL)
if (!ldapi)
{
int tls_option;
+ #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+ if (eldap_require_cert != NULL)
+ {
+ tls_option = LDAP_OPT_X_TLS_NEVER;
+ if (Ustrcmp(eldap_require_cert, "hard") == 0)
+ {
+ tls_option = LDAP_OPT_X_TLS_HARD;
+ }
+ else if (Ustrcmp(eldap_require_cert, "demand") == 0)
+ {
+ tls_option = LDAP_OPT_X_TLS_DEMAND;
+ }
+ else if (Ustrcmp(eldap_require_cert, "allow") == 0)
+ {
+ tls_option = LDAP_OPT_X_TLS_ALLOW;
+ }
+ else if (Ustrcmp(eldap_require_cert, "try") == 0)
+ {
+ tls_option = LDAP_OPT_X_TLS_TRY;
+ }
+ DEBUG(D_lookup)
+ debug_printf("Require certificate overrides LDAP_OPT_X_TLS option (%d)\n",
+ tls_option);
+ }
+ else
+ #endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */
if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
{
tls_option = LDAP_OPT_X_TLS_HARD;
- DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_HARD set\n");
+ DEBUG(D_lookup)
+ debug_printf("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n");
}
else
{
tls_option = LDAP_OPT_X_TLS_TRY;
- DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_TRY set\n");
+ DEBUG(D_lookup)
+ debug_printf("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n");
}
ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
}
@@ -480,7 +508,8 @@ if (lcp == NULL)
{
cert_option = LDAP_OPT_X_TLS_TRY;
}
- ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+ /* Use NULL ldap handle because is a global option */
+ ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
}
#endif