Commit 1273a38e authored by Ondřej Kuzník's avatar Ondřej Kuzník
Browse files

ITS#8427 Set up TLS settings on each reconnection

parent db40120a
......@@ -224,11 +224,7 @@ asyncmeta_init_one_conn(
sb = &mt->mt_tls;
}
if ( sb->sb_tls_do_init ) {
bindconf_tls_set( sb, msc->msc_ld );
} else if ( sb->sb_tls_ctx ) {
ldap_set_option( msc->msc_ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
}
bindconf_tls_set( sb, msc->msc_ld );
if ( !is_ldaps ) {
if ( sb == &mt->mt_idassert.si_bc && sb->sb_tls_ctx ) {
......
......@@ -729,11 +729,7 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_
sb = &li->li_tls;
}
if ( sb->sb_tls_do_init ) {
bindconf_tls_set( sb, ld );
} else if ( sb->sb_tls_ctx ) {
ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
}
bindconf_tls_set( sb, ld );
/* if required by the bindconf configuration, force TLS */
if ( ( sb == &li->li_acl || sb == &li->li_idassert.si_bc ) &&
......
......@@ -428,11 +428,7 @@ retry_lock:;
sb = &mt->mt_tls;
}
if ( sb->sb_tls_do_init ) {
bindconf_tls_set( sb, msc->msc_ld );
} else if ( sb->sb_tls_ctx ) {
ldap_set_option( msc->msc_ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
}
bindconf_tls_set( sb, msc->msc_ld );
if ( !is_ldaps ) {
if ( sb == &mt->mt_idassert.si_bc && sb->sb_tls_ctx ) {
......
......@@ -1894,7 +1894,7 @@ static struct {
int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
{
int i, rc, newctx = 0, res = 0;
int i, rc, res = 0;
char *ptr = (char *)bc, **word;
bc->sb_tls_do_init = 0;
......@@ -1908,8 +1908,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
"bindconf_tls_set: failed to set %s to %s\n",
bindtlsopts[i].key, *word );
res = -1;
} else
newctx = 1;
}
}
}
if ( bc->sb_tls_reqcert ) {
......@@ -1920,8 +1919,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
"bindconf_tls_set: failed to set tls_reqcert to %s\n",
bc->sb_tls_reqcert );
res = -1;
} else
newctx = 1;
}
}
if ( bc->sb_tls_protocol_min ) {
rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
......@@ -1931,8 +1929,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
"bindconf_tls_set: failed to set tls_protocol_min to %s\n",
bc->sb_tls_protocol_min );
res = -1;
} else
newctx = 1;
}
}
#ifdef HAVE_OPENSSL_CRL
if ( bc->sb_tls_crlcheck ) {
......@@ -1943,17 +1940,15 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
"bindconf_tls_set: failed to set tls_crlcheck to %s\n",
bc->sb_tls_crlcheck );
res = -1;
} else
newctx = 1;
}
}
#endif
if ( newctx ) {
if ( bc->sb_tls_ctx ) {
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, bc->sb_tls_ctx );
if ( rc )
res = rc;
} else {
int opt = 0;
if ( bc->sb_tls_ctx ) {
ldap_pvt_tls_ctx_free( bc->sb_tls_ctx );
bc->sb_tls_ctx = NULL;
}
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
if ( rc )
res = rc;
......@@ -2030,14 +2025,7 @@ slap_client_connect( LDAP **ldp, slap_bindconf *sb )
slap_client_keepalive(ld, &sb->sb_keepalive);
#ifdef HAVE_TLS
if ( sb->sb_tls_do_init ) {
rc = bindconf_tls_set( sb, ld );
} else if ( sb->sb_tls_ctx ) {
rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX,
sb->sb_tls_ctx );
}
rc = bindconf_tls_set( sb, ld );
if ( rc ) {
Debug( LDAP_DEBUG_ANY,
"slap_client_connect: "
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment