Partial support for a new option to help debug TLS connections,

[openldap] / libraries / libldap / open.c

diff --git a/libraries/libldap/open.c b/libraries/libldap/open.c
index 50641603c79ee26974d6560ad26f68959978a65c..419b4277e0cca5b215c193fe9fd04a0d034cfdee 100644 (file)
--- a/libraries/libldap/open.c
+++ b/libraries/libldap/open.c
@@ -12,7 +12,8 @@
 #include "portable.h"
 
 #include <stdio.h>
-#include <stdlib.h>
+
+#include <ac/stdlib.h>
 
 #include <ac/socket.h>
 #include <ac/string.h>
@@ -251,6 +252,20 @@ open_ldap_connection( LDAP *ld, Sockbuf *sb, const char *host, int defport,
    
        ber_pvt_sb_set_io( sb, &ber_pvt_sb_io_tcp, NULL );
 
+#ifdef HAVE_TLS
+       if ( ld->ld_options.ldo_tls_mode == LDAP_OPT_X_TLS_HARD ) {
+               /*
+                * Fortunately, the lib uses blocking io...
+                */
+               if ( ldap_pvt_tls_connect( sb, ld->ld_options.ldo_tls_ctx ) < 
+                    0 ) {
+                       return -1;
+               }
+               /* FIXME: hostname of server must be compared with name in
+                * certificate....
+                */
+       }
+#endif
        if ( krbinstancep != NULL ) {
 #ifdef HAVE_KERBEROS
                char *c;