Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

un-break certificate verification

Commit 041d540 "Specify that we want to use the 'ldap' scheme to verify
certificates" unconditionally set IO:Socket::SSL's SSL_verify_cn_scheme
'ldap'.

In principle this is a good thing: it allows to verify whether the name of
the host we connect to matches the host name in the certificate presented.

But doing it unconditionally led to some trouble:
* it broke $ldap->start_tls() completely.
  see SSL_verifycn_name in IO::Socket::SSL(3) for why
* in the case of sslverify = 'none' it created a warning
  on every connect.

This commit fixes both issues.
  • Loading branch information...
commit a3c4f7fe85129b036d915c9064752d9b542ad803 1 parent 5ee91de
@marschap marschap authored
Showing with 10 additions and 1 deletion.
  1. +10 −1 lib/Net/LDAP.pm
View
11 lib/Net/LDAP.pm
@@ -192,11 +192,18 @@ sub _SSL_context_init_args {
my $arg = shift;
my $verify = 0;
+ my %verifycn_ctx = ();
my ($clientcert,$clientkey,$passwdcb);
if (exists $arg->{'verify'}) {
my $v = lc $arg->{'verify'};
$verify = 0 + (exists $ssl_verify{$v} ? $ssl_verify{$v} : $verify);
+
+ if ($verify) {
+ $verifycn_ctx{SSL_verifycn_scheme} => "ldap";
+ $verifycn_ctx{SSL_verifycn_name} = $arg->{'sslserver'}
+ if (defined $arg->{'sslserver'});
+ }
}
if (exists $arg->{'clientcert'}) {
@@ -230,7 +237,7 @@ sub _SSL_context_init_args {
SSL_verify_mode => $verify,
SSL_version => defined $arg->{'sslversion'} ? $arg->{'sslversion'} :
'sslv2/3',
- SSL_verifycn_scheme => "ldap",
+ %verifycn_ctx,
);
}
@@ -1031,6 +1038,8 @@ sub start_tls {
delete $ldap->{net_ldap_root_dse};
$arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion};
+ $arg->{sslserver} = $ldap->{'net_ldap_host'} unless defined $arg->{sslserver};
+
IO::Socket::SSL::context_init( { _SSL_context_init_args($arg) } );
my $sock_class = ref($sock);
Please sign in to comment.
Something went wrong with that request. Please try again.