Gitweb:
http://git.exim.org/exim.git/commitdiff/33382dd9537a16c676e07632e122c0112855d5c3
Commit: 33382dd9537a16c676e07632e122c0112855d5c3
Parent: a30a8861ef512a88394517f713f1e66b486e5c7c
Author: Todd Lyons <tlyons@???>
AuthorDate: Tue Sep 10 14:09:51 2013 -0700
Committer: Todd Lyons <tlyons@???>
CommitDate: Sun Sep 22 09:22:48 2013 -0700
Bug 1287 - Fix tls_require_cert
---
doc/doc-txt/ChangeLog | 5 +++++
src/src/lookups/ldap.c | 35 ++++++++++++++++++++++++++++++++---
2 files changed, 37 insertions(+), 3 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9d9f17d..61cd6f0 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -223,6 +223,11 @@ TL/09 Add expansion variable $authenticated_fail_id to keep track of
TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by
Alexander Miroch.
+TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls
+ ldap library initialization, allowing self-signed CA's to be
+ used. Also properly sets require_cert option later in code by
+ using NULL (global ldap config) instead of ldap handle (per
+ session). Bug diagnosis and testing by alxgomz.
Exim version 4.80.1
-------------------
diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c
index f121bce..bb29b43 100644
--- a/src/src/lookups/ldap.c
+++ b/src/src/lookups/ldap.c
@@ -416,15 +416,43 @@ if (lcp == NULL)
if (!ldapi)
{
int tls_option;
+ #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
+ if (eldap_require_cert != NULL)
+ {
+ tls_option = LDAP_OPT_X_TLS_NEVER;
+ if (Ustrcmp(eldap_require_cert, "hard") == 0)
+ {
+ tls_option = LDAP_OPT_X_TLS_HARD;
+ }
+ else if (Ustrcmp(eldap_require_cert, "demand") == 0)
+ {
+ tls_option = LDAP_OPT_X_TLS_DEMAND;
+ }
+ else if (Ustrcmp(eldap_require_cert, "allow") == 0)
+ {
+ tls_option = LDAP_OPT_X_TLS_ALLOW;
+ }
+ else if (Ustrcmp(eldap_require_cert, "try") == 0)
+ {
+ tls_option = LDAP_OPT_X_TLS_TRY;
+ }
+ DEBUG(D_lookup)
+ debug_printf("Require certificate overrides LDAP_OPT_X_TLS option (%d)\n",
+ tls_option);
+ }
+ else
+ #endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */
if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0)
{
tls_option = LDAP_OPT_X_TLS_HARD;
- DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_HARD set\n");
+ DEBUG(D_lookup)
+ debug_printf("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n");
}
else
{
tls_option = LDAP_OPT_X_TLS_TRY;
- DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_TRY set\n");
+ DEBUG(D_lookup)
+ debug_printf("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n");
}
ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option);
}
@@ -480,7 +508,8 @@ if (lcp == NULL)
{
cert_option = LDAP_OPT_X_TLS_TRY;
}
- ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
+ /* Use NULL ldap handle because is a global option */
+ ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option);
}
#endif