29 lines
1.0 KiB
Diff
29 lines
1.0 KiB
Diff
|
Do not check server hostname when TLS_REQCERT is 'allow'.
|
||
|
|
|
||
|
|
If server certificate hostname does not match the server hostname,
|
||
|
|
connection is closed even if client has set TLS_REQCERT to 'allow'. This
|
||
|
|
is wrong - the documentation says, that bad certificates are being
|
||
|
|
ignored when TLS_REQCERT is set to 'allow'.
|
||
|
|
|
||
|
|
Author: Jan Vcelak <jvcelak@redhat.com>
|
||
|
|
Upstream ITS: #7014
|
||
|
|
Resolves: #725819
|
||
|
|
|
||
|
|
diff --git a/libraries/libldap/tls2.c b/libraries/libldap/tls2.c
|
||
|
|
index f38db27..3f05c1e 100644
|
||
|
|
--- a/libraries/libldap/tls2.c
|
||
|
|
+++ b/libraries/libldap/tls2.c
|
||
|
|
@@ -838,7 +838,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
|
||
|
|
/*
|
||
|
|
* compare host with name(s) in certificate
|
||
|
|
*/
|
||
|
|
- if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER) {
|
||
|
|
+ if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
|
||
|
|
+ ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
|
||
|
|
ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
|
||
|
|
if (ld->ld_errno != LDAP_SUCCESS) {
|
||
|
|
return ld->ld_errno;
|
||
|
|
--
|
||
|
|
1.7.6
|
||
|
|
|