From: Howard Chu <hyc@openldap.org>
Date: Sun, 10 Feb 2008 06:29:40 +0000 (+0000)
Subject: ITS#5360 move tls option setup
X-Git-Tag: OPENLDAP_REL_ENG_2_4_9~20^2~179
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=ae471f78c32d7531c729aa88116b8b413cc200bf;p=openldap

ITS#5360 move tls option setup
---

diff --git a/servers/slapd/init.c b/servers/slapd/init.c
index d99453df33..73e4225067 100644
--- a/servers/slapd/init.c
+++ b/servers/slapd/init.c
@@ -179,16 +179,6 @@ slap_init( int mode, const char *name )
 		return 1;
 	}
 
-#ifdef HAVE_TLS
-	/* Library defaults to full certificate checking. This is correct when
-	 * a client is verifying a server because all servers should have a
-	 * valid cert. But few clients have valid certs, so we want our default
-	 * to be no checking. The config file can override this as usual.
-	 */
-	rc = 0;
-	(void) ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &rc );
-#endif
-
 	if ( frontend_init() ) {
 		slap_debug |= LDAP_DEBUG_NONE;
 		Debug( LDAP_DEBUG_ANY,
diff --git a/servers/slapd/main.c b/servers/slapd/main.c
index 2a4bb85c91..70dae327d6 100644
--- a/servers/slapd/main.c
+++ b/servers/slapd/main.c
@@ -736,6 +736,13 @@ unhandled_option:;
 		SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 );
 		goto destroy;
 	}
+	/* Library defaults to full certificate checking. This is correct when
+	 * a client is verifying a server because all servers should have a
+	 * valid cert. But few clients have valid certs, so we want our default
+	 * to be no checking. The config file can override this as usual.
+	 */
+	rc = LDAP_OPT_X_TLS_NEVER;
+	(void) ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &rc );
 #endif
 
 	rc = slap_init( serverMode, serverName );