Home Explore Help
Register Sign In
Apq
/
389-ds-base
mirror of https://github.com/389ds/389-ds-base.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Ticket #281 - TLS not working with latest openldap

https://fedorahosted.org/389/ticket/281
Resolves: Ticket #281
Bug Description: TLS not working with latest openldap
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: Be sure to call
ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &val);
last after setting all of the other TLS options.
Platforms tested: RHEL6 x86_64, Fedora 16
Flag Day: no
Doc impact: no
Rich Megginson 14 years ago
parent
e8578ca99a
commit
3d2f151f5e
2 changed files with 11 additions and 11 deletions
Split View Show Diff Stats
  1. 4 4
      ldap/servers/slapd/ldaputil.c
  2. 7 7
      ldap/servers/slapd/tools/ldclt/ldapfct.c

+ 4 - 4
ldap/servers/slapd/ldaputil.c
View File 

@@ -814,10 +814,6 @@ slapi_ldap_init_ext(
 
 	    }
 
 
 #if defined(USE_OPENLDAP)
 
-	    if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &optval))) {
 
-		slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
 
-				"failed: unable to create new TLS context\n");
 
-	    }
 
 	    if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &ssl_strength))) {
 
 		slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
 
 				"failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
 
@@ -835,6 +831,10 @@ slapi_ldap_init_ext(
 
 				"failed: unable to set minimum TLS protocol level to SSL3\n");
 
 	    }
 
 #endif /* LDAP_OPT_X_TLS_PROTOCOL_MIN */
 
+	    if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &optval))) {
 
+		slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
 
+				"failed: unable to create new TLS context\n");
 
+	    }
 
 #else  /* !USE_OPENLDAP */
 
 	    if ((rc = ldapssl_set_strength(myld, ssl_strength)) ||
 
 		(rc = ldapssl_set_option(myld, SSL_ENABLE_SSL2, PR_FALSE)) ||

+ 7 - 7
ldap/servers/slapd/tools/ldclt/ldapfct.c
View File 

@@ -749,13 +749,6 @@ connectToLDAP(thread_context *tttctx, const char *bufBindDN, const char *bufPass
 
        for the hostname, so have to defeat fqdn checking in cn of subject of server cert */
 
     int ssl_strength = LDAP_OPT_X_TLS_NEVER;
 
     char *certdir = ldclt_dirname(mctx.certfile);
 
-    if ((ret = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &optval))) {
 
-      printf ("ldclt[%d]: T%03d: Cannot ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX), errno=%d ldaperror=%d:%s\n",
 
-	      mctx.pid, thrdNum, errno, ret, my_ldap_err2string(ret));
 
-      fflush (stdout);
 
-      free(certdir);
 
-      goto done;
 
-    }
 
     if ((ret = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &ssl_strength))) {
 
       printf ("ldclt[%d]: T%03d: Cannot ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT), errno=%d ldaperror=%d:%s\n",
 
 	      mctx.pid, thrdNum, errno, ret, my_ldap_err2string(ret));
 
@@ -776,6 +769,13 @@ connectToLDAP(thread_context *tttctx, const char *bufBindDN, const char *bufPass
 
       free(certdir);
 
       goto done;
 
     }
 
+    if ((ret = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &optval))) {
 
+      printf ("ldclt[%d]: T%03d: Cannot ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX), errno=%d ldaperror=%d:%s\n",
 
+	      mctx.pid, thrdNum, errno, ret, my_ldap_err2string(ret));
 
+      fflush (stdout);
 
+      free(certdir);
 
+      goto done;
 
+    }
 
     free(certdir);
 
   }
 
 #else /* !USE_OPENLDAP */