From: Howard Chu <hyc@openldap.org>
Date: Mon, 26 Jan 2009 02:16:46 +0000 (+0000)
Subject: ITS#5655 for new structure
X-Git-Tag: ACLCHECK_0~955
X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=f9fd0f0cc4f57970a15bed71ca387ff2e0498cdb;p=openldap

ITS#5655 for new structure
---

diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
index 937dc221c2..37e012aed7 100644
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -542,6 +542,23 @@ ldap_int_tls_config( LDAP *ld, int option, const char *arg )
 			return ldap_pvt_tls_set_option( ld, option, &i );
 		}
 		return -1;
+	case LDAP_OPT_X_TLS_PROTOCOL_MIN: {
+		char *next;
+		long l;
+		l = strtol( arg, &next, 10 );
+		if ( l < 0 || l > 0xff || next == arg ||
+			( *next != '\0' && *next != '.' ) )
+			return -1;
+		i = l << 8;
+		if (*next == '.') {
+			arg = next + 1;
+			l = strtol( arg, &next, 10 );
+			if ( l < 0 || l > 0xff || next == arg || *next != '\0' )
+				return -1;
+			i += l;
+		}
+		return ldap_pvt_tls_set_option( ld, option, &i );
+		}
 	case LDAP_OPT_X_TLS_CRLCHECK:	/* OpenSSL only */
 		i = -1;
 		if ( strcasecmp( arg, "none" ) == 0 ) {
@@ -625,6 +642,9 @@ ldap_pvt_tls_get_option( LDAP *ld, int option, void *arg )
 		*(char **)arg = lo->ldo_tls_ciphersuite ?
 			LDAP_STRDUP( lo->ldo_tls_ciphersuite ) : NULL;
 		break;
+	case LDAP_OPT_X_TLS_PROTOCOL_MIN:
+		*(int *)arg = lo->ldo_tls_protocol_min;
+		break;
 	case LDAP_OPT_X_TLS_RANDOM_FILE:	/* OpenSSL only */
 		*(char **)arg = lo->ldo_tls_randfile ?
 			LDAP_STRDUP( lo->ldo_tls_randfile ) : NULL;
@@ -756,6 +776,11 @@ ldap_pvt_tls_set_option( LDAP *ld, int option, void *arg )
 		lo->ldo_tls_ciphersuite = arg ? LDAP_STRDUP( (char *) arg ) : NULL;
 		return 0;
 
+	case LDAP_OPT_X_TLS_PROTOCOL_MIN:
+		if ( !arg ) return -1;
+		lo->ldo_tls_protocol_min = *(int *)arg;
+		return 0;
+
 	case LDAP_OPT_X_TLS_RANDOM_FILE:	/* OpenSSL only */
 		if ( ld != NULL )
 			return -1;
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 4bb500cae3..fc4f9bc3d6 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -222,6 +222,11 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 			(const unsigned char *) "OpenLDAP", sizeof("OpenLDAP")-1 );
 	}
 
+	if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL3 )
+		SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 );
+	else if ( lo->ldo_tls_protocol_min > LDAP_OPT_X_TLS_PROTOCOL_SSL2 )
+		SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 );
+
 	if ( lo->ldo_tls_ciphersuite &&
 		!SSL_CTX_set_cipher_list( ctx, lt->lt_ciphersuite ) )
 	{