From 3dae953fd6648f655c6bc67702fad4debbe59c40 Mon Sep 17 00:00:00 2001 From: Jan Vcelak Date: Tue, 9 Aug 2011 15:21:34 +0200 Subject: [PATCH] ITS#7014 TLS: don't check hostname if reqcert is 'allow' If server certificate hostname does not match the server hostname, connection is closed even if client has set TLS_REQCERT to 'allow'. This is wrong - the documentation says, that bad certificates are being ignored when TLS_REQCERT is set to 'allow'. --- libraries/libldap/tls2.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c index f38db2755d..3f05c1e127 100644 --- a/libraries/libldap/tls2.c +++ b/libraries/libldap/tls2.c @@ -838,7 +838,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv ) /* * compare host with name(s) in certificate */ - if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER) { + if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER && + ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) { ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host ); if (ld->ld_errno != LDAP_SUCCESS) { return ld->ld_errno; -- 2.39.5