Revert "ITS#8427 Set up TLS settings on each reconnection"

This reverts commit 6f623dfa.

servers/slapd/back-ldap/bind.c

@@ -729,7 +729,11 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_
 		sb = &li->li_tls;
 	}
 
-	bindconf_tls_set( sb, ld );
+	if ( sb->sb_tls_do_init ) {
+		bindconf_tls_set( sb, ld );
+	} else if ( sb->sb_tls_ctx ) {
+		ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
+	}
 
 	/* if required by the bindconf configuration, force TLS */
 	if ( ( sb == &li->li_acl || sb == &li->li_idassert.si_bc ) &&

servers/slapd/back-meta/conn.c

@@ -433,7 +433,11 @@ retry_lock:;
 			sb = &mt->mt_tls;
 		}
 
-		bindconf_tls_set( sb, msc->msc_ld );
+		if ( sb->sb_tls_do_init ) {
+			bindconf_tls_set( sb, msc->msc_ld );
+		} else if ( sb->sb_tls_ctx ) {
+			ldap_set_option( msc->msc_ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
+		}
 
 		if ( !is_ldaps ) {
 			if ( sb == &mt->mt_idassert.si_bc && sb->sb_tls_ctx ) {

servers/slapd/config.c

@@ -1864,7 +1864,7 @@ static struct {
 
 int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 {
-	int i, rc, res = 0;
+	int i, rc, newctx = 0, res = 0;
 	char *ptr = (char *)bc, **word;
 
 	bc->sb_tls_do_init = 0;
@@ -1878,7 +1878,8 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 					"bindconf_tls_set: failed to set %s to %s\n",
 						bindtlsopts[i].key, *word, 0 );
 				res = -1;
-			}
+			} else
+				newctx = 1;
 		}
 	}
 	if ( bc->sb_tls_reqcert ) {
@@ -1889,7 +1890,8 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 				"bindconf_tls_set: failed to set tls_reqcert to %s\n",
 					bc->sb_tls_reqcert, 0, 0 );
 			res = -1;
-		}
+		} else
+			newctx = 1;
 	}
 	if ( bc->sb_tls_protocol_min ) {
 		rc = ldap_int_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
@@ -1899,7 +1901,8 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 				"bindconf_tls_set: failed to set tls_protocol_min to %s\n",
 					bc->sb_tls_protocol_min, 0, 0 );
 			res = -1;
-		}
+		} else
+			newctx = 1;
 	}
 #ifdef HAVE_OPENSSL_CRL
 	if ( bc->sb_tls_crlcheck ) {
@@ -1910,15 +1913,17 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 				"bindconf_tls_set: failed to set tls_crlcheck to %s\n",
 					bc->sb_tls_crlcheck, 0, 0 );
 			res = -1;
-		}
+		} else
+			newctx = 1;
 	}
 #endif
-	if ( bc->sb_tls_ctx ) {
-		rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, bc->sb_tls_ctx );
-		if ( rc )
-			res = rc;
-	} else {
+	if ( newctx ) {
 		int opt = 0;
+
+		if ( bc->sb_tls_ctx ) {
+			ldap_pvt_tls_ctx_free( bc->sb_tls_ctx );
+			bc->sb_tls_ctx = NULL;
+		}
 		rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
 		if ( rc )
 			res = rc;
@@ -1995,7 +2000,14 @@ slap_client_connect( LDAP **ldp, slap_bindconf *sb )
 	slap_client_keepalive(ld, &sb->sb_keepalive);
 
 #ifdef HAVE_TLS
-	rc = bindconf_tls_set( sb, ld );
+	if ( sb->sb_tls_do_init ) {
+		rc = bindconf_tls_set( sb, ld );
+
+	} else if ( sb->sb_tls_ctx ) {
+		rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX,
+			sb->sb_tls_ctx );
+	}
+
 	if ( rc ) {
 		Debug( LDAP_DEBUG_ANY,
 			"slap_client_connect: "