ITS#8427 Set up TLS settings on each reconnection

2026-01-06 06:59:54 -05:00 · 2019-06-12 16:40:04 +02:00 · 2019-06-12 16:40:04 +02:00 · 1273a38eda
commit 1273a38eda
parent db40120a27
4 changed files with 14 additions and 38 deletions
--- a/servers/slapd/back-asyncmeta/conn.c
+++ b/servers/slapd/back-asyncmeta/conn.c
@ -224,11 +224,7 @@ asyncmeta_init_one_conn(
 			sb = &mt->mt_tls;
 		}

-		if ( sb->sb_tls_do_init ) {
-			bindconf_tls_set( sb, msc->msc_ld );
-		} else if ( sb->sb_tls_ctx ) {
-			ldap_set_option( msc->msc_ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
-		}
+		bindconf_tls_set( sb, msc->msc_ld );

 		if ( !is_ldaps ) {
 			if ( sb == &mt->mt_idassert.si_bc && sb->sb_tls_ctx ) {
--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@ -729,11 +729,7 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_
 		sb = &li->li_tls;
 	}

-	if ( sb->sb_tls_do_init ) {
-		bindconf_tls_set( sb, ld );
-	} else if ( sb->sb_tls_ctx ) {
-		ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
-	}
+	bindconf_tls_set( sb, ld );

 	/* if required by the bindconf configuration, force TLS */
 	if ( ( sb == &li->li_acl || sb == &li->li_idassert.si_bc ) &&
--- a/servers/slapd/back-meta/conn.c
+++ b/servers/slapd/back-meta/conn.c
@ -428,11 +428,7 @@ retry_lock:;
 			sb = &mt->mt_tls;
 		}

-		if ( sb->sb_tls_do_init ) {
-			bindconf_tls_set( sb, msc->msc_ld );
-		} else if ( sb->sb_tls_ctx ) {
-			ldap_set_option( msc->msc_ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx );
-		}
+		bindconf_tls_set( sb, msc->msc_ld );

 		if ( !is_ldaps ) {
 			if ( sb == &mt->mt_idassert.si_bc && sb->sb_tls_ctx ) {
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@ -1894,7 +1894,7 @@ static struct {

 int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 {
-	int i, rc, newctx = 0, res = 0;
+	int i, rc, res = 0;
 	char *ptr = (char *)bc, **word;

 	bc->sb_tls_do_init = 0;
@ -1908,8 +1908,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 					"bindconf_tls_set: failed to set %s to %s\n",
 						bindtlsopts[i].key, *word );
 				res = -1;
-			} else
-				newctx = 1;
+			}
 		}
 	}
 	if ( bc->sb_tls_reqcert ) {
@ -1920,8 +1919,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 				"bindconf_tls_set: failed to set tls_reqcert to %s\n",
 					bc->sb_tls_reqcert );
 			res = -1;
-		} else
-			newctx = 1;
+		}
 	}
 	if ( bc->sb_tls_protocol_min ) {
 		rc = ldap_pvt_tls_config( ld, LDAP_OPT_X_TLS_PROTOCOL_MIN,
@ -1931,8 +1929,7 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 				"bindconf_tls_set: failed to set tls_protocol_min to %s\n",
 					bc->sb_tls_protocol_min );
 			res = -1;
-		} else
-			newctx = 1;
+		}
 	}
 #ifdef HAVE_OPENSSL_CRL
 	if ( bc->sb_tls_crlcheck ) {
@ -1943,17 +1940,15 @@ int bindconf_tls_set( slap_bindconf *bc, LDAP *ld )
 				"bindconf_tls_set: failed to set tls_crlcheck to %s\n",
 					bc->sb_tls_crlcheck );
 			res = -1;
-		} else
-			newctx = 1;
+		}
 	}
 #endif
-	if ( newctx ) {
+	if ( bc->sb_tls_ctx ) {
+		rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, bc->sb_tls_ctx );
+		if ( rc )
+			res = rc;
+	} else {
 		int opt = 0;
-
-		if ( bc->sb_tls_ctx ) {
-			ldap_pvt_tls_ctx_free( bc->sb_tls_ctx );
-			bc->sb_tls_ctx = NULL;
-		}
 		rc = ldap_set_option( ld, LDAP_OPT_X_TLS_NEWCTX, &opt );
 		if ( rc )
 			res = rc;
@ -2030,14 +2025,7 @@ slap_client_connect( LDAP **ldp, slap_bindconf *sb )
 	slap_client_keepalive(ld, &sb->sb_keepalive);

 #ifdef HAVE_TLS
-	if ( sb->sb_tls_do_init ) {
-		rc = bindconf_tls_set( sb, ld );
-
-	} else if ( sb->sb_tls_ctx ) {
-		rc = ldap_set_option( ld, LDAP_OPT_X_TLS_CTX,
-			sb->sb_tls_ctx );
-	}
-
+	rc = bindconf_tls_set( sb, ld );
 	if ( rc ) {
 		Debug( LDAP_DEBUG_ANY,
 			"slap_client_connect: "