un-break certificate verification

Commit 041d540 "Specify that we want to use the 'ldap' scheme to verify certificates" unconditionally set IO:Socket::SSL's SSL_verify_cn_scheme 'ldap'. In principle this is a good thing: it allows to verify whether the name of the host we connect to matches the host name in the certificate presented. But doing it unconditionally led to some trouble: * it broke $ldap->start_tls() completely. see SSL_verifycn_name in IO::Socket::SSL(3) for why * in the case of sslverify = 'none' it created a warning on every connect. This commit fixes both issues.
marschap · Sep 7, 2011 · a3c4f7f · gbarr · Sep 23, 2011 · marschap
1 parent 5ee91de
commit a3c4f7f
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm
@@ -192,11 +192,18 @@ sub _SSL_context_init_args {
   my $arg = shift;
 
   my $verify = 0;
+  my %verifycn_ctx = ();
   my ($clientcert,$clientkey,$passwdcb);
 
   if (exists $arg->{'verify'}) {
       my $v = lc $arg->{'verify'};
       $verify = 0 + (exists $ssl_verify{$v} ? $ssl_verify{$v} : $verify);
+
+      if ($verify) {
+        $verifycn_ctx{SSL_verifycn_scheme} => "ldap";
+        $verifycn_ctx{SSL_verifycn_name} = $arg->{'sslserver'}
+          if (defined $arg->{'sslserver'});
+      }
   }
 
   if (exists $arg->{'clientcert'}) {
@@ -230,7 +237,7 @@ sub _SSL_context_init_args {
     SSL_verify_mode     => $verify,
     SSL_version         => defined $arg->{'sslversion'} ? $arg->{'sslversion'} :
                            'sslv2/3',
-    SSL_verifycn_scheme => "ldap",
+    %verifycn_ctx,
   );
 }
 
@@ -1031,6 +1038,8 @@ sub start_tls {
   delete $ldap->{net_ldap_root_dse};
 
   $arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion};
+  $arg->{sslserver} = $ldap->{'net_ldap_host'} unless defined $arg->{sslserver};
+
   IO::Socket::SSL::context_init( { _SSL_context_init_args($arg) } );
   my $sock_class = ref($sock);