From: Howard Chu Date: Sat, 4 May 2002 00:05:48 +0000 (+0000) Subject: Changed default tls_opt_require_cert value to LDAP_OPT_X_TLS_DEMAND; force X-Git-Tag: OPENLDAP_REL_ENG_2_MP~102 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=0390a171b9b3f77a0781ae54c696e099ea4918fd;p=openldap Changed default tls_opt_require_cert value to LDAP_OPT_X_TLS_DEMAND; force a fatal error when TLS server cert verification fails. Changed ldap_pvt_tls_check_hostname to return LDAP_SUCCESS when no cert is found: this can now only occur if tls_opt_require_cert was explicitly set to NEVER or ALLOW. In tls_verify_cb, added a text translation of the verification error code to the debug message. --- diff --git a/libraries/libldap/tls.c b/libraries/libldap/tls.c index 19ad523acf..19ae058212 100644 --- a/libraries/libldap/tls.c +++ b/libraries/libldap/tls.c @@ -41,7 +41,7 @@ static char *tls_opt_certfile = NULL; static char *tls_opt_keyfile = NULL; static char *tls_opt_cacertfile = NULL; static char *tls_opt_cacertdir = NULL; -static int tls_opt_require_cert = 0; +static int tls_opt_require_cert = LDAP_OPT_X_TLS_DEMAND; static char *tls_opt_ciphersuite = NULL; static char *tls_opt_randfile = NULL; @@ -901,7 +901,10 @@ ldap_pvt_tls_check_hostname( void *s, const char *name_in ) "TLS: unable to get peer certificate.\n", 0, 0, 0 ); #endif - return ret; + /* If this was a fatal condition, things would have + * aborted long before now. + */ + return LDAP_SUCCESS; } i = X509_get_ext_by_NID(x, NID_subject_alt_name, -1); @@ -1383,12 +1386,21 @@ tls_verify_cb( int ok, X509_STORE_CTX *ctx ) "TLS certificate verification: depth: %d, err: %d: " "subject: %s, issuer: %s\n", errdepth, errnum, sname ? sname : "-unknown-", iname ? iname : "-unknown-" )); + if ( !ok ) { + LDAP_LOG (( "tls", LDAP_LEVEL_ERR, "TLS certificate verification: Error, %s\n", + X509_verify_cert_error_string(errnum))); + } #else Debug( LDAP_DEBUG_TRACE, "TLS certificate verification: depth: %d, err: %d, subject: %s,", errdepth, errnum, sname ? sname : "-unknown-" ); Debug( LDAP_DEBUG_TRACE, " issuer: %s\n", iname ? iname : "-unknown-", 0, 0 ); + if ( !ok ) { + Debug( LDAP_DEBUG_ANY, + "TLS certificate verification: Error, %s\n", + X509_verify_cert_error_string(errnum), 0, 0 ); + } #endif if ( sname ) CRYPTO_free ( sname );