Rich Megginson authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

If the olcTLSVerifyClient is set to a value other than "never", the server
should request that the client send a client certificate for possible use
with client cert auth (e.g. SASL/EXTERNAL).
If set to "allow", if the client sends a cert, and there are problems with
it, the server will warn about problems, but will allow the SSL session to
proceed without a client cert.
If set to "try", if the client sends a cert, and there are problems with
it, the server will warn about those problems, and shutdown the SSL session.
If set to "demand" or "hard", the client must send a cert, and the server
will shutdown the SSL session if there are problems.
I added a new member of the tlsm context structure - tc_warn_only - if this
is set, tlsm_verify_cert will only warn about errors, and only if TRACE
level debug is set.  This allows the server to warn but allow bad certs
if "allow" is set, and warn and fail if "try" is set.

Rich Megginson authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

If tlsm_find_and_verify_cert_key finds the cert and/or key, and it fails
to verify them, it will leave them allocated for the caller to dispose of.
There were a couple of places that were not disposing of the cert and key
upon error.

Jan Vcelak authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

When server certificate is not required in a TLS session (e.g.
TLS_REQCERT is set to 'never'), ignore expired issuer certificate error
and do not terminate the connection.

Rich Megginson authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

In tlsm_auth_cert_handler, we get the peer's cert from the socket using
SSL_PeerCertificate.  This value is allocated and/or cached.  We must
destroy it using CERT_DestroyCertificate.

Howard Chu authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

add hex timestamp to lutil_debug() output
Fix LASTMOD race condition in accesslog.c
Set refreshInterval even if using refreshAndPersist, since
fallbacks will use refresh params

Merge branch 'OPENLDAP_REL_ENG_2_4' of ssh://git-master.openldap.org/~git/git/openldap into OPENLDAP_REL_ENG_2_4