Changed default tls_opt_require_cert value to LDAP_OPT_X_TLS_DEMAND; force

a fatal error when TLS server cert verification fails.

Changed ldap_pvt_tls_check_hostname to return LDAP_SUCCESS when no cert is
found: this can now only occur if tls_opt_require_cert was explicitly set
to NEVER or ALLOW.

In tls_verify_cb, added a text translation of the verification error code
to the debug message.

diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c
index 19ad523acf3c45c5636b001f8ebdf8d196ceee8a..19ae0582122aad22f3de81735818c2e1572c9d08 100644 (file)
--- a/libraries/libldap/tls.c
+++ b/libraries/libldap/tls.c
@@ -41,7 +41,7 @@ static char *tls_opt_certfile = NULL;
 static char *tls_opt_keyfile = NULL;
 static char *tls_opt_cacertfile = NULL;
 static char *tls_opt_cacertdir = NULL;
-static int  tls_opt_require_cert = 0;
+static int  tls_opt_require_cert = LDAP_OPT_X_TLS_DEMAND;
 static char *tls_opt_ciphersuite = NULL;
 static char *tls_opt_randfile = NULL;
 
@@ -901,7 +901,10 @@ ldap_pvt_tls_check_hostname( void *s, const char *name_in )
                        "TLS: unable to get peer certificate.\n",
                        0, 0, 0 );
 #endif
-               return ret;
+               /* If this was a fatal condition, things would have
+                * aborted long before now.
+                */
+               return LDAP_SUCCESS;
        }
 
        i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1);
@@ -1383,12 +1386,21 @@ tls_verify_cb( int ok, X509_STORE_CTX *ctx )
                "TLS certificate verification: depth: %d, err: %d: "
                "subject: %s, issuer: %s\n", errdepth, errnum, 
                sname ? sname : "-unknown-", iname ? iname : "-unknown-" ));
+       if ( !ok ) {
+               LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "TLS certificate verification: Error, %s\n",
+                       X509_verify_cert_error_string(errnum)));
+       }
 #else
        Debug( LDAP_DEBUG_TRACE,
                   "TLS certificate verification: depth: %d, err: %d, subject: %s,",
                   errdepth, errnum,
                   sname ? sname : "-unknown-" );
        Debug( LDAP_DEBUG_TRACE, " issuer: %s\n", iname ? iname : "-unknown-", 0, 0 );
+       if ( !ok ) {
+               Debug( LDAP_DEBUG_ANY,
+                       "TLS certificate verification: Error, %s\n",
+                       X509_verify_cert_error_string(errnum), 0, 0 );
+       }
 #endif
        if ( sname )
                CRYPTO_free ( sname );