ITS#7014 TLS: don't check hostname if reqcert is 'allow'

If server certificate hostname does not match the server hostname, connection is closed even if client has set TLS_REQCERT to 'allow'. This is wrong - the documentation says, that bad certificates are being ignored when TLS_REQCERT is set to 'allow'.

ITS#7014 TLS: don't check hostname if reqcert is 'allow'
09c5f495 · Jan Vcelak · Quanah Gibson-Mount · 0836855e · 09c5f495
Commit 09c5f495 authored 13 years ago by Jan Vcelak Committed by Quanah Gibson-Mount 13 years ago
--- a/libraries/libldap/tls2.c
+++ b/libraries/libldap/tls2.c
@@ -838,7 +838,8 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
 	/* 
 	 * compare host with name(s) in certificate
 	 */
-	if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER) {
+	if (ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER &&
+	    ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW) {
 		ld->ld_errno = ldap_pvt_tls_check_hostname( ld, ssl, host );
 		if (ld->ld_errno != LDAP_SUCCESS) {
 			return ld->ld_errno;