ITS#4072 ldap_pvt_tls_init_def_ctx() returns LDAP_NO_SUPPORT if not

sufficiently configured. Update slapd/slurpd to act appropriately.

libraries/libldap/tls.c

@@ -203,6 +203,12 @@ ldap_pvt_tls_init_def_ctx( void )
 	char *certfile = tls_opt_certfile;
 	char *keyfile = tls_opt_keyfile;
 
+#ifdef LDAP_R_COMPILE
+	ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
+#endif
+	if (( !cacertfile && !cacertdir ) || !certfile || !keyfile )
+		return LDAP_NOT_SUPPORTED;
+
 #ifdef HAVE_EBCDIC
 	/* This ASCII/EBCDIC handling is a real pain! */
 	if ( ciphersuite ) {
@@ -226,10 +232,6 @@ ldap_pvt_tls_init_def_ctx( void )
 		__atoe( keyfile );
 	}
 #endif
-
-#ifdef LDAP_R_COMPILE
-	ldap_pvt_thread_mutex_lock( &tls_def_ctx_mutex );
-#endif
 	if ( tls_def_ctx == NULL ) {
 		int i;
 		tls_def_ctx = SSL_CTX_new( SSLv23_method() );

servers/slapd/extended.c

@@ -69,9 +69,6 @@ static struct {
 	{ &slap_EXOP_CANCEL, SLAP_EXOP_HIDE, cancel_extop },
 	{ &slap_EXOP_WHOAMI, 0, whoami_extop },
 	{ &slap_EXOP_MODIFY_PASSWD, SLAP_EXOP_WRITES, passwd_extop },
-#ifdef HAVE_TLS
-	{ &slap_EXOP_START_TLS, 0, starttls_extop },
-#endif
 	{ NULL, 0, NULL }
 };
 

servers/slapd/main.c

@@ -669,7 +669,12 @@ unhandled_option:;
 		ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, NULL );
 
 		rc = ldap_pvt_tls_init_def_ctx();
-		if( rc != 0) {
+		if( rc == 0) {
+			ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx );
+			/* Restore previous ctx */
+			ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, def_ctx );
+			load_extop( &slap_EXOP_START_TLS, 0, starttls_extop );
+		} else if ( rc != LDAP_NOT_SUPPORTED ) {
 			Debug( LDAP_DEBUG_ANY,
 			    "main: TLS init def ctx failed: %d\n",
 			    rc, 0, 0 );
@@ -677,10 +682,6 @@ unhandled_option:;
 			SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 );
 			goto destroy;
 		}
-		/* Retrieve slapd's own ctx */
-		ldap_pvt_tls_get_option( NULL, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx );
-		/* Restore previous ctx */
-		ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_CTX, def_ctx );
 	}
 #endif
 

servers/slurpd/main.c

@@ -156,10 +156,20 @@ int main( int argc, char **argv )
 
 #ifdef HAVE_TLS
 	if( ldap_pvt_tls_init() || ldap_pvt_tls_init_def_ctx() ) {
-		fprintf( stderr, "TLS Initialization failed.\n" );
-		SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 );
-		rc = 1;
-		goto stop;
+		rc = 0;
+		/* See if we actually need TLS */
+		for ( i=0; i < sglob->num_replicas; i++ ) {
+			if ( sglob->replicas[i]->ri_tls || ( sglob->replicas[i]->ri_uri &&
+				!strncmp( sglob->replicas[i]->ri_uri, "ldaps:", 6 ))) {
+				rc = 1;
+				break;
+			}
+		}
+		if ( rc ) {
+			fprintf( stderr, "TLS Initialization failed.\n" );
+			SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 );
+			goto stop;
+		}
 	}
 #endif