ldap/servers/slapd/ldaputil.c | 8 ++++----
ldap/servers/slapd/tools/ldclt/ldapfct.c | 14 +++++++-------
2 files changed, 11 insertions(+), 11 deletions(-)
New commits:
commit 3d2f151f5ea4beb614194ea3aafc1b320511a2a3
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Fri Feb 3 13:16:20 2012 -0700
Ticket #281 - TLS not working with latest openldap
https://fedorahosted.org/389/ticket/281
Resolves: Ticket #281
Bug Description: TLS not working with latest openldap
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: Be sure to call
ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &val);
last after setting all of the other TLS options.
Platforms tested: RHEL6 x86_64, Fedora 16
Flag Day: no
Doc impact: no
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index 7901432..10d7907 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -814,10 +814,6 @@ slapi_ldap_init_ext(
}
#if defined(USE_OPENLDAP)
- if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &optval))) {
- slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
- "failed: unable to create new TLS context\n");
- }
if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &ssl_strength))) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
"failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
@@ -835,6 +831,10 @@ slapi_ldap_init_ext(
"failed: unable to set minimum TLS protocol level to SSL3\n");
}
#endif /* LDAP_OPT_X_TLS_PROTOCOL_MIN */
+ if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &optval))) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
+ "failed: unable to create new TLS context\n");
+ }
#else /* !USE_OPENLDAP */
if ((rc = ldapssl_set_strength(myld, ssl_strength)) ||
(rc = ldapssl_set_option(myld, SSL_ENABLE_SSL2, PR_FALSE)) ||
diff --git a/ldap/servers/slapd/tools/ldclt/ldapfct.c
b/ldap/servers/slapd/tools/ldclt/ldapfct.c
index 6e66764..0e8a2fb 100644
--- a/ldap/servers/slapd/tools/ldclt/ldapfct.c
+++ b/ldap/servers/slapd/tools/ldclt/ldapfct.c
@@ -749,13 +749,6 @@ connectToLDAP(thread_context *tttctx, const char *bufBindDN, const
char *bufPass
for the hostname, so have to defeat fqdn checking in cn of subject of server cert
*/
int ssl_strength = LDAP_OPT_X_TLS_NEVER;
char *certdir = ldclt_dirname(mctx.certfile);
- if ((ret = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &optval))) {
- printf ("ldclt[%d]: T%03d: Cannot ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX),
errno=%d ldaperror=%d:%s\n",
- mctx.pid, thrdNum, errno, ret, my_ldap_err2string(ret));
- fflush (stdout);
- free(certdir);
- goto done;
- }
if ((ret = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &ssl_strength))) {
printf ("ldclt[%d]: T%03d: Cannot ldap_set_option(ld,
LDAP_OPT_X_TLS_REQUIRE_CERT), errno=%d ldaperror=%d:%s\n",
mctx.pid, thrdNum, errno, ret, my_ldap_err2string(ret));
@@ -776,6 +769,13 @@ connectToLDAP(thread_context *tttctx, const char *bufBindDN, const
char *bufPass
free(certdir);
goto done;
}
+ if ((ret = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &optval))) {
+ printf ("ldclt[%d]: T%03d: Cannot ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX),
errno=%d ldaperror=%d:%s\n",
+ mctx.pid, thrdNum, errno, ret, my_ldap_err2string(ret));
+ fflush (stdout);
+ free(certdir);
+ goto done;
+ }
free(certdir);
}
#else /* !USE_OPENLDAP */