From: Jan Vcelak <jvcelak@redhat.com>
Date: Tue, 9 Aug 2011 13:21:34 +0000 (+0200)
Subject: ITS#7014 TLS: don't check hostname if reqcert is 'allow'
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=3dae953fd6648f655c6bc67702fad4debbe59c40;p=openldap

ITS#7014 TLS: don't check hostname if reqcert is 'allow'

If server certificate hostname does not match the server hostname,
connection is closed even if client has set TLS_REQCERT to 'allow'. This
is wrong - the documentation says, that bad certificates are being
ignored when TLS_REQCERT is set to 'allow'.
---

diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index f38db2755d..3f05c1e127 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -838,7 +838,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
 	/* 
 	 * compare host with name(s) in certificate
 	 */
-	if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER) {
+	if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
+	    ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
 		ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
 		if (ld->ld_errno != LDAP_SUCCESS) {
 			return ld->ld_errno;