diff options
| author | Todd Lyons <tlyons@exim.org> | 2013-09-10 14:09:51 -0700 |
|---|---|---|
| committer | Todd Lyons <tlyons@exim.org> | 2013-09-22 09:22:48 -0700 |
| commit | 33382dd9537a16c676e07632e122c0112855d5c3 (patch) | |
| tree | 9bd29c4a2eb6b845c9f801ec984cb969f5f549fe | |
| parent | a30a8861ef512a88394517f713f1e66b486e5c7c (diff) | |
| download | exim4-33382dd9537a16c676e07632e122c0112855d5c3.tar.gz | |
Bug 1287 - Fix tls_require_cert
| -rw-r--r-- | doc/doc-txt/ChangeLog | 5 | ||||
| -rw-r--r-- | src/src/lookups/ldap.c | 35 |
2 files changed, 37 insertions, 3 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 9d9f17d5b..61cd6f02b 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -223,6 +223,11 @@ TL/09 Add expansion variable $authenticated_fail_id to keep track of TL/10 Bugzilla 1375 - Prevent TLS rebinding in ldap. Patch provided by Alexander Miroch. +TL/11 Bugzilla 1382 - Option ldap_require_cert overrides start_tls + ldap library initialization, allowing self-signed CA's to be + used. Also properly sets require_cert option later in code by + using NULL (global ldap config) instead of ldap handle (per + session). Bug diagnosis and testing by alxgomz. Exim version 4.80.1 ------------------- diff --git a/src/src/lookups/ldap.c b/src/src/lookups/ldap.c index f121bce61..bb29b43af 100644 --- a/src/src/lookups/ldap.c +++ b/src/src/lookups/ldap.c @@ -416,15 +416,43 @@ if (lcp == NULL) if (!ldapi) { int tls_option; + #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT + if (eldap_require_cert != NULL) + { + tls_option = LDAP_OPT_X_TLS_NEVER; + if (Ustrcmp(eldap_require_cert, "hard") == 0) + { + tls_option = LDAP_OPT_X_TLS_HARD; + } + else if (Ustrcmp(eldap_require_cert, "demand") == 0) + { + tls_option = LDAP_OPT_X_TLS_DEMAND; + } + else if (Ustrcmp(eldap_require_cert, "allow") == 0) + { + tls_option = LDAP_OPT_X_TLS_ALLOW; + } + else if (Ustrcmp(eldap_require_cert, "try") == 0) + { + tls_option = LDAP_OPT_X_TLS_TRY; + } + DEBUG(D_lookup) + debug_printf("Require certificate overrides LDAP_OPT_X_TLS option (%d)\n", + tls_option); + } + else + #endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */ if (strncmp(ludp->lud_scheme, "ldaps", 5) == 0) { tls_option = LDAP_OPT_X_TLS_HARD; - DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_HARD set\n"); + DEBUG(D_lookup) + debug_printf("LDAP_OPT_X_TLS_HARD set due to ldaps:// URI\n"); } else { tls_option = LDAP_OPT_X_TLS_TRY; - DEBUG(D_lookup) debug_printf("LDAP_OPT_X_TLS_TRY set\n"); + DEBUG(D_lookup) + debug_printf("LDAP_OPT_X_TLS_TRY set due to ldap:// URI\n"); } ldap_set_option(ld, LDAP_OPT_X_TLS, (void *)&tls_option); } @@ -480,7 +508,8 @@ if (lcp == NULL) { cert_option = LDAP_OPT_X_TLS_TRY; } - ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); + /* Use NULL ldap handle because is a global option */ + ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &cert_option); } #endif |