From d8ac61d2a96e73d413c584e9b0f20e958ae4554d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
Date: Fri, 5 Jun 2026 12:16:30 +0100
Subject: [PATCH] ITS#10517 libldap+mbedtls: Check cert validation result

---
 libraries/libldap/tls_mt.c | 16 +++++++++++++++-
 tests/scripts/test067-tls  | 13 +++++++++++++
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/libraries/libldap/tls_mt.c b/libraries/libldap/tls_mt.c
index b707bcc519..c5d38a668d 100644
--- a/libraries/libldap/tls_mt.c
+++ b/libraries/libldap/tls_mt.c
@@ -50,6 +50,7 @@ typedef struct tlsmt_ctx {
 	mbedtls_x509_crt ca_chain;
 	unsigned long verify_depth;
 	int refcount;
+	int reqcert;
 #ifdef LDAP_R_COMPILE
 	ldap_pvt_thread_mutex_t ref_mutex;
 #endif
@@ -328,6 +329,7 @@ tlsmt_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server, char
 		}
 	}
 
+	ctx->reqcert = lo->ldo_tls_require_cert;
 	switch ( lo->ldo_tls_require_cert ) {
 		case LDAP_OPT_X_TLS_NEVER :
 			mbedtls_ssl_conf_authmode( ssl_config, MBEDTLS_SSL_VERIFY_NONE );
@@ -372,8 +374,20 @@ static int
 tlsmt_session_accept( tls_session *sess )
 {
 	tlsmt_session *s = (tlsmt_session *)sess;
+	int ret = mbedtls_ssl_handshake( &(s->ssl_ctx) );
 
-	return mbedtls_ssl_handshake( &(s->ssl_ctx) );
+	/*
+	 * ITS#10517: In case of TLS_DEMAND+, we set VERIFY_REQUIRED and
+	 * certificate validation is handled above, but for TRY we use
+	 * VERIFY_OPTIONAL and are expected to check the result ourselves.
+	 */
+	if ( ret == 0 && s->config->reqcert == LDAP_OPT_X_TLS_TRY &&
+			mbedtls_ssl_get_peer_cert( &(s->ssl_ctx) ) != NULL &&
+			mbedtls_ssl_get_verify_result( &(s->ssl_ctx) ) != 0 ) {
+		return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
+	}
+
+	return ret;
 }
 
 static int
diff --git a/tests/scripts/test067-tls b/tests/scripts/test067-tls
index 13072152d2..3da2f8ecf5 100755
--- a/tests/scripts/test067-tls
+++ b/tests/scripts/test067-tls
@@ -213,6 +213,19 @@ else
 	echo "failed correctly with error code ($RC)"
 fi
 
+echo -n "Using ldapsearch on $SURI2 with reqcert TRY and no CA cert.  Should fail..."
+$LDAPSEARCH -o tls_reqcert=try -b "cn=Subschema" -s base -H $SURIP2 \
+	'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \
+	>> $SEARCHOUT  2>&1
+RC=$?
+if test $RC = 0 ; then
+	echo "ldapsearch (ldaps) succeeded when it should have failed($RC)!"
+	test $KILLSERVERS != no && kill -HUP $KILLPIDS
+	exit 1
+else
+	echo "failed correctly with error code ($RC)"
+fi
+
 echo -n "Using ldapsearch on $SURI2 with CA cert and reqcert HARD..."
 $LDAPSEARCH -o tls_cacert=$TESTDIR/tls/ca/certs/testsuiteCA.crt -o tls_reqcert=hard -b "cn=Subschema" -s base -H $SURIP2 \
 	'(&(objectClasses=top)(objectClasses=2.5.6.0))' cn objectClass \