1 /* tls_g.c - Handle tls/ssl using GNUTLS. */
3 /* This work is part of OpenLDAP Software <http://www.openldap.org/>.
5 * Copyright 2008-2014 The OpenLDAP Foundation.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted only as authorized by the OpenLDAP
12 * A copy of this license is available in the file LICENSE in the
13 * top-level directory of the distribution or, alternatively, at
14 * <http://www.OpenLDAP.org/license.html>.
16 /* ACKNOWLEDGEMENTS: GNUTLS support written by Howard Chu and
17 * Emily Backes; sponsored by The Written Word (thewrittenword.com)
18 * and Stanford University (stanford.edu).
25 #include "ldap_config.h"
29 #include <ac/stdlib.h>
31 #include <ac/socket.h>
32 #include <ac/string.h>
35 #include <ac/unistd.h>
37 #include <ac/dirent.h>
44 #include <gnutls/gnutls.h>
45 #include <gnutls/x509.h>
47 typedef struct tlsg_ctx {
48 struct ldapoptions *lo;
49 gnutls_certificate_credentials_t cred;
50 gnutls_dh_params_t dh_params;
51 unsigned long verify_depth;
53 gnutls_priority_t prios;
55 ldap_pvt_thread_mutex_t ref_mutex;
59 typedef struct tlsg_session {
60 gnutls_session_t session;
62 struct berval peer_der_dn;
65 static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites );
66 static int tlsg_cert_verify( tlsg_session *s );
71 tlsg_mutex_init( void **priv )
74 ldap_pvt_thread_mutex_t *lock = LDAP_MALLOC( sizeof( ldap_pvt_thread_mutex_t ));
79 err = ldap_pvt_thread_mutex_init( lock );
89 tlsg_mutex_destroy( void **lock )
91 int err = ldap_pvt_thread_mutex_destroy( *lock );
97 tlsg_mutex_lock( void **lock )
99 return ldap_pvt_thread_mutex_lock( *lock );
103 tlsg_mutex_unlock( void **lock )
105 return ldap_pvt_thread_mutex_unlock( *lock );
109 tlsg_thr_init( void )
111 gnutls_global_set_mutex (tlsg_mutex_init,
116 #endif /* LDAP_R_COMPILE */
119 * Initialize TLS subsystem. Should be called only once.
124 gnutls_global_init();
129 * Tear down the TLS subsystem. Should only be called once.
134 gnutls_global_deinit();
138 tlsg_ctx_new ( struct ldapoptions *lo )
142 ctx = ber_memcalloc ( 1, sizeof (*ctx) );
145 if ( gnutls_certificate_allocate_credentials( &ctx->cred )) {
150 gnutls_priority_init( &ctx->prios, "NORMAL", NULL );
151 #ifdef LDAP_R_COMPILE
152 ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
155 return (tls_ctx *)ctx;
159 tlsg_ctx_ref( tls_ctx *ctx )
161 tlsg_ctx *c = (tlsg_ctx *)ctx;
162 LDAP_MUTEX_LOCK( &c->ref_mutex );
164 LDAP_MUTEX_UNLOCK( &c->ref_mutex );
168 tlsg_ctx_free ( tls_ctx *ctx )
170 tlsg_ctx *c = (tlsg_ctx *)ctx;
175 LDAP_MUTEX_LOCK( &c->ref_mutex );
176 refcount = --c->refcount;
177 LDAP_MUTEX_UNLOCK( &c->ref_mutex );
180 gnutls_priority_deinit( c->prios );
181 gnutls_certificate_free_credentials( c->cred );
183 gnutls_dh_params_deinit( c->dh_params );
188 tlsg_getfile( const char *path, gnutls_datum_t *buf )
193 fd = open( path, O_RDONLY );
194 if ( fd >= 0 && fstat( fd, &st ) == 0 ) {
195 buf->size = st.st_size;
196 buf->data = LDAP_MALLOC( st.st_size + 1 );
198 rc = read( fd, buf->data, st.st_size );
200 if ( rc < st.st_size )
209 /* This is the GnuTLS default */
210 #define VERIFY_DEPTH 6
213 * initialize a new TLS context
216 tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
218 tlsg_ctx *ctx = lo->ldo_tls_ctx;
221 if ( lo->ldo_tls_ciphersuite &&
222 tlsg_parse_ciphers( ctx, lt->lt_ciphersuite )) {
223 Debug( LDAP_DEBUG_ANY,
224 "TLS: could not set cipher list %s.\n",
225 lo->ldo_tls_ciphersuite, 0, 0 );
229 if (lo->ldo_tls_cacertdir != NULL) {
230 Debug( LDAP_DEBUG_ANY,
231 "TLS: warning: cacertdir not implemented for gnutls\n",
235 if (lo->ldo_tls_cacertfile != NULL) {
236 rc = gnutls_certificate_set_x509_trust_file(
239 GNUTLS_X509_FMT_PEM );
240 if ( rc < 0 ) return -1;
243 if ( lo->ldo_tls_certfile && lo->ldo_tls_keyfile ) {
244 gnutls_x509_privkey_t key;
246 gnutls_x509_crt_t certs[VERIFY_DEPTH];
247 unsigned int max = VERIFY_DEPTH;
249 rc = gnutls_x509_privkey_init( &key );
252 /* OpenSSL builds the cert chain for us, but GnuTLS
253 * expects it to be present in the certfile. If it's
254 * not, we have to build it ourselves. So we have to
255 * do some special checks here...
257 rc = tlsg_getfile( lt->lt_keyfile, &buf );
259 rc = gnutls_x509_privkey_import( key, &buf,
260 GNUTLS_X509_FMT_PEM );
261 LDAP_FREE( buf.data );
262 if ( rc < 0 ) return rc;
264 rc = tlsg_getfile( lt->lt_certfile, &buf );
266 rc = gnutls_x509_crt_list_import( certs, &max, &buf,
267 GNUTLS_X509_FMT_PEM, 0 );
268 LDAP_FREE( buf.data );
269 if ( rc < 0 ) return rc;
271 /* If there's only one cert and it's not self-signed,
272 * then we have to build the cert chain.
274 if ( max == 1 && !gnutls_x509_crt_check_issuer( certs[0], certs[0] )) {
275 #if GNUTLS_VERSION_NUMBER >= 0x020c00
277 for ( i = 1; i<VERIFY_DEPTH; i++ ) {
278 if ( gnutls_certificate_get_issuer( ctx->cred, certs[i-1], &certs[i], 0 ))
281 /* If this CA is self-signed, we're done */
282 if ( gnutls_x509_crt_check_issuer( certs[i], certs[i] ))
286 gnutls_x509_crt_t *cas;
287 unsigned int i, j, ncas;
289 gnutls_certificate_get_x509_cas( ctx->cred, &cas, &ncas );
290 for ( i = 1; i<VERIFY_DEPTH; i++ ) {
291 for ( j = 0; j<ncas; j++ ) {
292 if ( gnutls_x509_crt_check_issuer( certs[i-1], cas[j] )) {
295 /* If this CA is self-signed, we're done */
296 if ( gnutls_x509_crt_check_issuer( cas[j], cas[j] ))
301 /* only continue if we found a CA and it was not self-signed */
307 rc = gnutls_certificate_set_x509_key( ctx->cred, certs, max, key );
309 } else if ( lo->ldo_tls_certfile || lo->ldo_tls_keyfile ) {
310 Debug( LDAP_DEBUG_ANY,
311 "TLS: only one of certfile and keyfile specified\n",
316 if ( lo->ldo_tls_crlfile ) {
317 rc = gnutls_certificate_set_x509_crl_file(
320 GNUTLS_X509_FMT_PEM );
321 if ( rc < 0 ) return -1;
325 /* FIXME: ITS#5992 - this should be configurable,
326 * and V1 CA certs should be phased out ASAP.
328 gnutls_certificate_set_verify_flags( ctx->cred,
329 GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT );
331 if ( is_server && lo->ldo_tls_dhfile ) {
333 rc = tlsg_getfile( lo->ldo_tls_dhfile, &buf );
335 rc = gnutls_dh_params_init( &ctx->dh_params );
337 rc = gnutls_dh_params_import_pkcs3( ctx->dh_params, &buf,
338 GNUTLS_X509_FMT_PEM );
339 LDAP_FREE( buf.data );
341 gnutls_certificate_set_dh_params( ctx->cred, ctx->dh_params );
347 tlsg_session_new ( tls_ctx * ctx, int is_server )
349 tlsg_ctx *c = (tlsg_ctx *)ctx;
350 tlsg_session *session;
352 session = ber_memcalloc ( 1, sizeof (*session) );
357 gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT );
358 gnutls_priority_set( session->session, c->prios );
360 gnutls_credentials_set( session->session, GNUTLS_CRD_CERTIFICATE, c->cred );
364 if ( c->lo->ldo_tls_require_cert ) {
365 flag = GNUTLS_CERT_REQUEST;
366 if ( c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_DEMAND ||
367 c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_HARD )
368 flag = GNUTLS_CERT_REQUIRE;
369 gnutls_certificate_server_set_request( session->session, flag );
372 return (tls_session *)session;
376 tlsg_session_accept( tls_session *session )
378 tlsg_session *s = (tlsg_session *)session;
381 rc = gnutls_handshake( s->session );
382 if ( rc == 0 && s->ctx->lo->ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
383 const gnutls_datum_t *peer_cert_list;
384 unsigned int list_size;
386 peer_cert_list = gnutls_certificate_get_peers( s->session,
388 if ( !peer_cert_list && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_TRY )
391 rc = tlsg_cert_verify( s );
392 if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
400 tlsg_session_connect( LDAP *ld, tls_session *session )
402 return tlsg_session_accept( session);
406 tlsg_session_upflags( Sockbuf *sb, tls_session *session, int rc )
408 tlsg_session *s = (tlsg_session *)session;
410 if ( rc != GNUTLS_E_INTERRUPTED && rc != GNUTLS_E_AGAIN )
413 switch (gnutls_record_get_direction (s->session)) {
415 sb->sb_trans_needs_read = 1;
418 sb->sb_trans_needs_write = 1;
425 tlsg_session_errmsg( tls_session *sess, int rc, char *buf, size_t len )
427 return (char *)gnutls_strerror( rc );
431 tlsg_x509_cert_dn( struct berval *cert, struct berval *dn, int get_subject )
433 BerElementBuffer berbuf;
434 BerElement *ber = (BerElement *)&berbuf;
439 ber_init2( ber, cert, LBER_USE_DER );
440 tag = ber_skip_tag( ber, &len ); /* Sequence */
441 tag = ber_skip_tag( ber, &len ); /* Sequence */
442 tag = ber_peek_tag( ber, &len ); /* Context + Constructed (version) */
443 if ( tag == 0xa0 ) { /* Version is optional */
444 tag = ber_skip_tag( ber, &len );
445 tag = ber_get_int( ber, &i ); /* Int: Version */
447 tag = ber_skip_tag( ber, &len ); /* Int: Serial (can be longer than ber_int_t) */
448 ber_skip_data( ber, len );
449 tag = ber_skip_tag( ber, &len ); /* Sequence: Signature */
450 ber_skip_data( ber, len );
451 if ( !get_subject ) {
452 tag = ber_peek_tag( ber, &len ); /* Sequence: Issuer DN */
454 tag = ber_skip_tag( ber, &len );
455 ber_skip_data( ber, len );
456 tag = ber_skip_tag( ber, &len ); /* Sequence: Validity */
457 ber_skip_data( ber, len );
458 tag = ber_peek_tag( ber, &len ); /* Sequence: Subject DN */
460 len = ber_ptrlen( ber );
461 dn->bv_val = cert->bv_val + len;
462 dn->bv_len = cert->bv_len - len;
466 tlsg_session_my_dn( tls_session *session, struct berval *der_dn )
468 tlsg_session *s = (tlsg_session *)session;
469 const gnutls_datum_t *x;
472 x = gnutls_certificate_get_ours( s->session );
474 if (!x) return LDAP_INVALID_CREDENTIALS;
476 bv.bv_val = (char *) x->data;
479 tlsg_x509_cert_dn( &bv, der_dn, 1 );
484 tlsg_session_peer_dn( tls_session *session, struct berval *der_dn )
486 tlsg_session *s = (tlsg_session *)session;
487 if ( !s->peer_der_dn.bv_val ) {
488 const gnutls_datum_t *peer_cert_list;
489 unsigned int list_size;
492 peer_cert_list = gnutls_certificate_get_peers( s->session,
494 if ( !peer_cert_list ) return LDAP_INVALID_CREDENTIALS;
496 bv.bv_len = peer_cert_list->size;
497 bv.bv_val = (char *) peer_cert_list->data;
499 tlsg_x509_cert_dn( &bv, &s->peer_der_dn, 1 );
501 *der_dn = s->peer_der_dn;
505 /* what kind of hostname were we given? */
510 #define CN_OID "2.5.4.3"
513 tlsg_session_chkhost( LDAP *ld, tls_session *session, const char *name_in )
515 tlsg_session *s = (tlsg_session *)session;
517 const gnutls_datum_t *peer_cert_list;
518 unsigned int list_size;
519 char altname[NI_MAXHOST];
522 gnutls_x509_crt_t cert;
527 struct in6_addr addr;
531 int len1 = 0, len2 = 0;
534 if( ldap_int_hostname &&
535 ( !name_in || !strcasecmp( name_in, "localhost" ) ) )
537 name = ldap_int_hostname;
542 peer_cert_list = gnutls_certificate_get_peers( s->session,
544 if ( !peer_cert_list ) {
545 Debug( LDAP_DEBUG_ANY,
546 "TLS: unable to get peer certificate.\n",
548 /* If this was a fatal condition, things would have
549 * aborted long before now.
553 ret = gnutls_x509_crt_init( &cert );
555 return LDAP_LOCAL_ERROR;
556 ret = gnutls_x509_crt_import( cert, peer_cert_list, GNUTLS_X509_FMT_DER );
558 gnutls_x509_crt_deinit( cert );
559 return LDAP_LOCAL_ERROR;
563 if (inet_pton(AF_INET6, name, &addr)) {
567 if ((ptr = strrchr(name, '.')) && isdigit((unsigned char)ptr[1])) {
568 if (inet_aton(name, (struct in_addr *)&addr)) ntype = IS_IP4;
571 if (ntype == IS_DNS) {
573 domain = strchr(name, '.');
575 len2 = len1 - (domain-name);
579 for ( i=0, ret=0; ret >= 0; i++ ) {
580 altnamesize = sizeof(altname);
581 ret = gnutls_x509_crt_get_subject_alt_name( cert, i,
582 altname, &altnamesize, NULL );
583 if ( ret < 0 ) break;
586 if ( altnamesize == 0 ) continue;
588 if ( ret == GNUTLS_SAN_DNSNAME ) {
589 if (ntype != IS_DNS) continue;
591 /* Is this an exact match? */
592 if ((len1 == altnamesize) && !strncasecmp(name, altname, len1)) {
596 /* Is this a wildcard match? */
597 if (domain && (altname[0] == '*') && (altname[1] == '.') &&
598 (len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2))
602 } else if ( ret == GNUTLS_SAN_IPADDRESS ) {
603 if (ntype == IS_DNS) continue;
606 if (ntype == IS_IP6 && altnamesize != sizeof(struct in6_addr)) {
610 if (ntype == IS_IP4 && altnamesize != sizeof(struct in_addr)) {
613 if (!memcmp(altname, &addr, altnamesize)) {
621 /* find the last CN */
625 ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
626 i, 1, altname, &altnamesize );
627 if ( ret == GNUTLS_E_SHORT_MEMORY_BUFFER )
634 altnamesize = sizeof(altname);
635 ret = gnutls_x509_crt_get_dn_by_oid( cert, CN_OID,
636 i-1, 0, altname, &altnamesize );
640 Debug( LDAP_DEBUG_ANY,
641 "TLS: unable to get common name from peer certificate.\n",
643 ret = LDAP_CONNECT_ERROR;
644 if ( ld->ld_error ) {
645 LDAP_FREE( ld->ld_error );
647 ld->ld_error = LDAP_STRDUP(
648 _("TLS: unable to get CN from peer certificate"));
651 ret = LDAP_LOCAL_ERROR;
652 if ( !len1 ) len1 = strlen( name );
653 if ( len1 == altnamesize && strncasecmp(name, altname, altnamesize) == 0 ) {
656 } else if (( altname[0] == '*' ) && ( altname[1] == '.' )) {
657 /* Is this a wildcard match? */
659 (len2 == altnamesize-1) && !strncasecmp(domain, &altname[1], len2)) {
665 if( ret == LDAP_LOCAL_ERROR ) {
666 altname[altnamesize] = '\0';
667 Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match "
668 "common name in certificate (%s).\n",
670 ret = LDAP_CONNECT_ERROR;
671 if ( ld->ld_error ) {
672 LDAP_FREE( ld->ld_error );
674 ld->ld_error = LDAP_STRDUP(
675 _("TLS: hostname does not match CN in peer certificate"));
678 gnutls_x509_crt_deinit( cert );
683 tlsg_session_strength( tls_session *session )
685 tlsg_session *s = (tlsg_session *)session;
686 gnutls_cipher_algorithm_t c;
688 c = gnutls_cipher_get( s->session );
689 return gnutls_cipher_get_key_size( c ) * 8;
693 tlsg_session_unique( tls_session *sess, struct berval *buf, int is_server)
695 /* channel bindings added in 2.12.0 */
696 #if GNUTLS_VERSION_NUMBER >= 0x020c00
697 tlsg_session *s = (tlsg_session *)sess;
701 rc = gnutls_session_channel_binding( s->session, GNUTLS_CB_TLS_UNIQUE, &cb );
704 if ( len > buf->bv_len )
707 memcpy( buf->bv_val, cb.data, len );
715 tlsg_session_version( tls_session *sess )
717 tlsg_session *s = (tlsg_session *)sess;
718 return gnutls_protocol_get_name(gnutls_protocol_get_version( s->session ));
722 tlsg_session_cipher( tls_session *sess )
724 tlsg_session *s = (tlsg_session *)sess;
725 return gnutls_cipher_get_name(gnutls_cipher_get( s->session ));
729 tlsg_session_peercert( tls_session *sess, struct berval *der )
731 tlsg_session *s = (tlsg_session *)sess;
732 const gnutls_datum_t *peer_cert_list;
733 unsigned int list_size;
735 peer_cert_list = gnutls_certificate_get_peers( s->session, &list_size );
738 der->bv_len = peer_cert_list[0].size;
739 der->bv_val = LDAP_MALLOC( der->bv_len );
742 memcpy(der->bv_val, peer_cert_list[0].data, der->bv_len);
746 /* suites is a string of colon-separated cipher suite names. */
748 tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites )
751 int rc = gnutls_priority_init( &ctx->prios, suites, &err );
758 * TLS support for LBER Sockbufs
762 tlsg_session *session;
763 Sockbuf_IO_Desc *sbiod;
767 tlsg_recv( gnutls_transport_ptr_t ptr, void *buf, size_t len )
771 if ( buf == NULL || len <= 0 ) return 0;
773 p = (struct tls_data *)ptr;
775 if ( p == NULL || p->sbiod == NULL ) {
779 return LBER_SBIOD_READ_NEXT( p->sbiod, buf, len );
783 tlsg_send( gnutls_transport_ptr_t ptr, const void *buf, size_t len )
787 if ( buf == NULL || len <= 0 ) return 0;
789 p = (struct tls_data *)ptr;
791 if ( p == NULL || p->sbiod == NULL ) {
795 return LBER_SBIOD_WRITE_NEXT( p->sbiod, (char *)buf, len );
799 tlsg_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg )
802 tlsg_session *session = arg;
804 assert( sbiod != NULL );
806 p = LBER_MALLOC( sizeof( *p ) );
811 gnutls_transport_set_ptr( session->session, (gnutls_transport_ptr)p );
812 gnutls_transport_set_pull_function( session->session, tlsg_recv );
813 gnutls_transport_set_push_function( session->session, tlsg_send );
814 p->session = session;
816 sbiod->sbiod_pvt = p;
821 tlsg_sb_remove( Sockbuf_IO_Desc *sbiod )
825 assert( sbiod != NULL );
826 assert( sbiod->sbiod_pvt != NULL );
828 p = (struct tls_data *)sbiod->sbiod_pvt;
829 gnutls_deinit ( p->session->session );
830 LBER_FREE( p->session );
831 LBER_FREE( sbiod->sbiod_pvt );
832 sbiod->sbiod_pvt = NULL;
837 tlsg_sb_close( Sockbuf_IO_Desc *sbiod )
841 assert( sbiod != NULL );
842 assert( sbiod->sbiod_pvt != NULL );
844 p = (struct tls_data *)sbiod->sbiod_pvt;
845 gnutls_bye ( p->session->session, GNUTLS_SHUT_WR );
850 tlsg_sb_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
854 assert( sbiod != NULL );
855 assert( sbiod->sbiod_pvt != NULL );
857 p = (struct tls_data *)sbiod->sbiod_pvt;
859 if ( opt == LBER_SB_OPT_GET_SSL ) {
860 *((tlsg_session **)arg) = p->session;
863 } else if ( opt == LBER_SB_OPT_DATA_READY ) {
864 if( gnutls_record_check_pending( p->session->session ) > 0 ) {
869 return LBER_SBIOD_CTRL_NEXT( sbiod, opt, arg );
873 tlsg_sb_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
878 assert( sbiod != NULL );
879 assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
881 p = (struct tls_data *)sbiod->sbiod_pvt;
883 ret = gnutls_record_recv ( p->session->session, buf, len );
885 case GNUTLS_E_INTERRUPTED:
887 sbiod->sbiod_sb->sb_trans_needs_read = 1;
888 sock_errset(EWOULDBLOCK);
891 case GNUTLS_E_REHANDSHAKE:
892 for ( ret = gnutls_handshake ( p->session->session );
893 ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN;
894 ret = gnutls_handshake ( p->session->session ) );
895 sbiod->sbiod_sb->sb_trans_needs_read = 1;
899 sbiod->sbiod_sb->sb_trans_needs_read = 0;
905 tlsg_sb_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
910 assert( sbiod != NULL );
911 assert( SOCKBUF_VALID( sbiod->sbiod_sb ) );
913 p = (struct tls_data *)sbiod->sbiod_pvt;
915 ret = gnutls_record_send ( p->session->session, (char *)buf, len );
917 if ( ret == GNUTLS_E_INTERRUPTED || ret == GNUTLS_E_AGAIN ) {
918 sbiod->sbiod_sb->sb_trans_needs_write = 1;
919 sock_errset(EWOULDBLOCK);
922 sbiod->sbiod_sb->sb_trans_needs_write = 0;
927 static Sockbuf_IO tlsg_sbio =
929 tlsg_sb_setup, /* sbi_setup */
930 tlsg_sb_remove, /* sbi_remove */
931 tlsg_sb_ctrl, /* sbi_ctrl */
932 tlsg_sb_read, /* sbi_read */
933 tlsg_sb_write, /* sbi_write */
934 tlsg_sb_close /* sbi_close */
937 /* Certs are not automatically varified during the handshake */
939 tlsg_cert_verify( tlsg_session *ssl )
941 unsigned int status = 0;
943 time_t now = time(0);
946 err = gnutls_certificate_verify_peers2( ssl->session, &status );
948 Debug( LDAP_DEBUG_ANY,"TLS: gnutls_certificate_verify_peers2 failed %d\n",
953 Debug( LDAP_DEBUG_TRACE,"TLS: peer cert untrusted or revoked (0x%x)\n",
957 peertime = gnutls_certificate_expiration_time_peers( ssl->session );
958 if ( peertime == (time_t) -1 ) {
959 Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_expiration_time_peers failed\n",
963 if ( peertime < now ) {
964 Debug( LDAP_DEBUG_ANY, "TLS: peer certificate is expired\n",
968 peertime = gnutls_certificate_activation_time_peers( ssl->session );
969 if ( peertime == (time_t) -1 ) {
970 Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_activation_time_peers failed\n",
974 if ( peertime > now ) {
975 Debug( LDAP_DEBUG_ANY, "TLS: peer certificate not yet active\n",
982 tls_impl ldap_int_tls_impl = {
994 tlsg_session_connect,
996 tlsg_session_upflags,
999 tlsg_session_peer_dn,
1000 tlsg_session_chkhost,
1001 tlsg_session_strength,
1002 tlsg_session_unique,
1003 tlsg_session_version,
1004 tlsg_session_cipher,
1005 tlsg_session_peercert,
1009 #ifdef LDAP_R_COMPILE
1018 #endif /* HAVE_GNUTLS */