[exim-cvs] Bug 1287 - Fix tls_require_cert

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Exim Git Commits Mailing List
Datum:  
To: exim-cvs
Betreff: [exim-cvs] Bug 1287 - Fix tls_require_cert
Gitweb: http://git.exim.org/exim.git/commitdiff/33382dd9537a16c676e07632e122c0112855d5c3
Commit:     33382dd9537a16c676e07632e122c0112855d5c3
Parent:     a30a8861ef512a88394517f713f1e66b486e5c7c
Author:     Todd Lyons <tlyons@???>
AuthorDate: Tue Sep 10 14:09:51 2013 -0700
Committer:  Todd Lyons <tlyons@???>
CommitDate: Sun Sep 22 09:22:48 2013 -0700


    Bug 1287 - Fix tls_require_cert
---
 doc/doc-txt/ChangeLog  |    5 +++++
 src/src/lookups/ldap.c |   35 ++++++++++++++++++++++++++++++++---
 2 files changed, 37 insertions(+), 3 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9d9f17d..61cd6f0 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -223,6 +223,11 @@ TL/09 Add expansion variable $authenticated_fail_id to keep track of
 TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by
       Alexander Miroch.


+TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls
+      ldap library initialization, allowing self-signed CA's to be
+      used. Also properly sets require_cert option later in code by
+      using NULL (global ldap config) instead of ldap handle (per
+      session). Bug diagnosis and testing by alxgomz.


 Exim version 4.80.1
 -------------------
diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c
index f121bce..bb29b43 100644
--- a/src/src/lookups/ldap.c
+++ b/src/src/lookups/ldap.c
@@ -416,15 +416,43 @@ if (lcp == NULL)
   if (!ldapi)
     {
     int tls_option;
+    #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+    if (eldap_require_cert != NULL)
+      {
+      tls_option = LDAP_OPT_X_TLS_NEVER;
+      if (Ustrcmp(eldap_require_cert, "hard") == 0)
+        {
+        tls_option = LDAP_OPT_X_TLS_HARD;
+        }
+      else if (Ustrcmp(eldap_require_cert, "demand") == 0)
+        {
+        tls_option = LDAP_OPT_X_TLS_DEMAND;
+        }
+      else if (Ustrcmp(eldap_require_cert, "allow") == 0)
+        {
+        tls_option = LDAP_OPT_X_TLS_ALLOW;
+        }
+      else if (Ustrcmp(eldap_require_cert, "try") == 0)
+        {
+        tls_option = LDAP_OPT_X_TLS_TRY;
+        }
+      DEBUG(D_lookup)
+        debug_printf("Require certificate overrides LDAP_OPT_X_TLS option (%d)\n",
+                     tls_option);
+      }
+    else
+    #endif  /* LDAP_OPT_X_TLS_REQUIRE_CERT */
     if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
       {
       tls_option = LDAP_OPT_X_TLS_HARD;
-      DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_HARD set\n");
+      DEBUG(D_lookup)
+        debug_printf("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n");
       }
     else
       {
       tls_option = LDAP_OPT_X_TLS_TRY;
-      DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_TRY set\n");
+      DEBUG(D_lookup)
+        debug_printf("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n");
       }
     ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
     }
@@ -480,7 +508,8 @@ if (lcp == NULL)
       {
       cert_option = LDAP_OPT_X_TLS_TRY;
       }
-    ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+    /* Use NULL ldap handle because is a global option */
+    ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
     }
   #endif