forked from perl-ldap/perl-ldap
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Commit 041d540 "Specify that we want to use the 'ldap' scheme to verify certificates" unconditionally set IO:Socket::SSL's SSL_verify_cn_scheme 'ldap'. In principle this is a good thing: it allows to verify whether the name of the host we connect to matches the host name in the certificate presented. But doing it unconditionally led to some trouble: * it broke $ldap->start_tls() completely. see SSL_verifycn_name in IO::Socket::SSL(3) for why * in the case of sslverify = 'none' it created a warning on every connect. This commit fixes both issues.
- Loading branch information
Showing
1 changed file
with
10 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -192,11 +192,18 @@ sub _SSL_context_init_args { | |
my $arg = shift; | ||
|
||
my $verify = 0; | ||
my %verifycn_ctx = (); | ||
my ($clientcert,$clientkey,$passwdcb); | ||
|
||
if (exists $arg->{'verify'}) { | ||
my $v = lc $arg->{'verify'}; | ||
$verify = 0 + (exists $ssl_verify{$v} ? $ssl_verify{$v} : $verify); | ||
|
||
if ($verify) { | ||
$verifycn_ctx{SSL_verifycn_scheme} => "ldap"; | ||
This comment has been minimized.
Sorry, something went wrong.
This comment has been minimized.
Sorry, something went wrong.
marschap
Author
Owner
|
||
$verifycn_ctx{SSL_verifycn_name} = $arg->{'sslserver'} | ||
if (defined $arg->{'sslserver'}); | ||
} | ||
} | ||
|
||
if (exists $arg->{'clientcert'}) { | ||
|
@@ -230,7 +237,7 @@ sub _SSL_context_init_args { | |
SSL_verify_mode => $verify, | ||
SSL_version => defined $arg->{'sslversion'} ? $arg->{'sslversion'} : | ||
'sslv2/3', | ||
SSL_verifycn_scheme => "ldap", | ||
%verifycn_ctx, | ||
); | ||
} | ||
|
||
|
@@ -1031,6 +1038,8 @@ sub start_tls { | |
delete $ldap->{net_ldap_root_dse}; | ||
|
||
$arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion}; | ||
$arg->{sslserver} = $ldap->{'net_ldap_host'} unless defined $arg->{sslserver}; | ||
|
||
IO::Socket::SSL::context_init( { _SSL_context_init_args($arg) } ); | ||
my $sock_class = ref($sock); | ||
|
||
|
Thats a typo/copy & paste error. I have put a fix on my next branch, but can you test/verify it