Howard Chu authored Aug 21, 2020 and Quanah Gibson-Mount committed Aug 21, 2020

Add an option to specify how subjectAlternativeNames should be
handled when validating the names in a server certificate.

Requires OpenSSL 1.0.2 or newer

Implemented for OpenSSL, GnuTLS just stubbed

Add LDAP_OPT_X_SASL_CBINDING option to define the binding type to use,
defaults to "none".

Add "tls-endpoint" binding type implementing "tls-server-end-point" from
RCF 5929, which is compatible with Windows.

Fix "tls-unique" to include the prefix in the bindings as per RFC 5056.

Always retry ldap_int_tls_connect() if it didn't complete,
regardless of blocking or non-blocking socket. Code from
ITS#7428 was wrong to only retry for async.

Patrick Monnerat authored Oct 21, 2017 and Ondřej Kuzník committed Jun 11, 2019

This can be done by setting them to an empty string value.

If multiple servers are specified, the connection to the first one
succeeds, and the hostname verification fails, *tls_session is not
dropped, but reused when connecting to the second server.

This is a problem with Mozilla NSS backend because another handshake
cannot be performed on the same file descriptor. From this reason,
hostname checking was moved into ldap_int_tls_connect() before
connection error handling.

Add get_option support, allow delete by setting a NULL arg.

Instead of loading from files.

retrieve peer cert for an active TLS session

Add LDAP_OPT_X_TLS_VERSION / LDAP_OPT_X_TLS_CIPHER for
retrieving from an LDAP session handle. Update ldap_get_option(3).

Note: I could not test the MozNSS patch due to the absence of
NSS PEM support on my machine. Given the review comments in
https://bugzilla.mozilla.org/show_bug.cgi?id=402712 I doubt that
trustworthy PEM support will be appearing for MozNSS any time soon.

Currently only implemented for OpenSSL.
Needs an option to set the criticality flag.

If a timeout is set, perform the SSL Handshake using non-blocking IO.  This way
we can timeout if SSL Handshake gets stuck for whatever reason.

This code is currently hidden behind #ifdefs (LDAP_USE_NON_BLOCKING_TLS) and
disabled by default as there seem to be some problems using NON-blocking
I/O during the TLS Handshake when linking against NSS (either a bug in NSS
itself of in tls_m.c, see discussion on -devel)

This patch adds an additional parameter to ldap_int_poll() in order to indicate
if we're waiting in order to perform a read or write operation.

Unfortunately automated checkers don't seem to read the documentation
for how APIs are expected to be used, and the C declaration syntax
isn't expressive enough to encode the documented usage.

Jan Vcelak authored Aug 09, 2011 and Howard Chu committed Aug 24, 2011

If server certificate hostname does not match the server hostname,
connection is closed even if client has set TLS_REQCERT to 'allow'. This
is wrong - the documentation says, that bad certificates are being
ignored when TLS_REQCERT is set to 'allow'.

to return the name of the underlying TLS implementation