upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-21 23:29:34 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
24372 commits 38 branches 309 tags 68 MiB
Commit graph

72 commits

Author SHA1 Message Date
Ondřej Kuzník
139944ac1e ITS#7982 Log TLS proto+cipher suite on client side 2024-09-27 14:21:20 +01:00
Quanah Gibson-Mount
073232bbc7 Happy New Year! 2024-03-26 19:45:07 +00:00
Howard Chu
5e13ef87a9 Revert "ITS#9952 libldap: use atexit for TLS teardown" 
This reverts commit 337455eb3a.
The change was non-portable, caused ITS#10176. OpenSSL 3 is
broken and should be fixed.
 2024-02-13 17:29:05 +00:00
Howard Chu
337455eb3a ITS#9952 libldap: use atexit for TLS teardown 2023-05-31 16:04:15 +00:00
Howard Chu
0b78166a47 ITS#9157: check for NULL ld 2022-05-21 16:39:29 +01:00
Quanah Gibson-Mount
788e9592ba Happy New Year! 2022-01-07 18:40:00 +00:00
Howard Chu
6c0dc99389 ITS#9668 ldap_int_tls_connect: isdigit() requires unsigned char 2021-09-06 21:14:21 +01:00
Howard Chu
2c0707cf13 ITS#9157 save TLS errmsg in ld->ld_error 2021-07-22 15:27:31 +01:00
Howard Chu
2a3b64f4e6 ITS#9518 add LDAP_OPT_X_TLS_PROTOCOL_MAX option 
OpenSSL only
 2021-04-09 18:12:40 +01:00
Howard Chu
bb6844e296 ITS#7295 don't init TLS threads by default 
Do it explicitly in servers
 2021-03-21 15:26:57 +00:00
Quanah Gibson-Mount
efaf9a4a17 Happy New Year! 2021-01-11 19:25:53 +00:00
Howard Chu
d2936fb1d5 ITS#9425 add more checks to ldap_X509dn2bv 2020-12-14 20:05:44 +00:00
Howard Chu
c944dc55b7 ITS#9423 ldap_X509dn2bv: check for invalid BER after RDN count 2020-12-13 21:52:00 +00:00
Quanah Gibson-Mount
c1411b8199 ITS#9323 - Limit to OpenSSL 1.0.2 or later 2020-08-25 21:52:04 +00:00
Howard Chu
608a822349 ITS#9318 add TLS_REQSAN option 
Add an option to specify how subjectAlternativeNames should be
handled when validating the names in a server certificate.
 2020-08-21 18:05:08 +00:00
Howard Chu
2386a11649 ITS#9054 Add support for multiple EECDH curves 
Requires OpenSSL 1.0.2 or newer
 2020-08-21 07:58:07 +01:00
Howard Chu
b8f34888c3 ITS#9176 check for numeric addrs before passing SNI 2020-04-27 18:25:49 +01:00
Howard Chu
5c0efb9ce8 ITS#9176 Add TLS SNI support to libldap 
Implemented for OpenSSL, GnuTLS just stubbed
 2020-04-27 03:41:12 +01:00
Isaac Boukris
3cd50fa8b3 ITS#9189 rework sasl-cbinding support 
Add LDAP_OPT_X_SASL_CBINDING option to define the binding type to use,
defaults to "none".

Add "tls-endpoint" binding type implementing "tls-server-end-point" from
RCF 5929, which is compatible with Windows.

Fix "tls-unique" to include the prefix in the bindings as per RFC 5056.
 2020-04-23 21:00:39 +02:00
Quanah Gibson-Mount
8505f774a5 Update to drop NON_BLOCKING ifdefs that were only really for moznss 2020-04-20 21:38:01 +00:00
Quanah Gibson-Mount
a019e7fe1a ITS#9207 - Remove MozNSS code and documentation 2020-04-20 21:38:01 +00:00
Howard Chu
735e1ab14b ITS#8650 loop on incomplete TLS handshake 
Always retry ldap_int_tls_connect() if it didn't complete,
regardless of blocking or non-blocking socket. Code from
ITS#7428 was wrong to only retry for async.
 2020-04-12 23:51:09 +01:00
Quanah Gibson-Mount
f6ad222e41 Happy New Year! 2020-01-09 16:50:21 +00:00
Ondřej Kuzník
860daa0989 ITS#7042 More to unsetting opts with an empty string 2019-06-12 11:50:14 +02:00
Patrick Monnerat
0f9afae02d ITS#7042 Allow unsetting of tls_* syncrepl options. 
This can be done by setting them to an empty string value.
 2019-06-11 15:36:03 +02:00
Vernon Smith
8158888085 ITS#8980 fix async connections with non-blocking TLS 2019-02-28 17:02:40 +00:00
Ondřej Kuzník
cd914149a6 Make prototypes available where needed 2019-02-19 10:26:39 +00:00
Ondřej Kuzník
09cec1f1b4 ITS#8731 Apply doc/devel/variadic_debug/03-libldap_Debug.cocci 2019-02-15 16:51:53 +00:00
Quanah Gibson-Mount
b45a6a7dc7 Happy New Year! 2019-01-14 18:46:16 +00:00
Ondřej Kuzník
10a6ffa3e9 Expose ldap_int_tls_connect as ldap_pvt_tls_connect 2018-10-22 11:35:31 +01:00
Quanah Gibson-Mount
59e9ff6243 Happy New Year 2018-03-22 15:35:24 +00:00
Ondřej Kuzník
8e34ed8c78 ITS#8753 Public key pinning support in libldap 2017-11-13 17:24:49 +00:00
Ian Puleston
46c93e41f4 ITS#8167 Fix non-blocking TLS with referrals 2017-10-06 13:57:13 -07:00
Jan Vcelak
acc5b88661 ITS#7373 - TLS: do not reuse tls_session if hostname check fails 
If multiple servers are specified, the connection to the first one
succeeds, and the hostname verification fails, *tls_session is not
dropped, but reused when connecting to the second server.

This is a problem with Mozilla NSS backend because another handshake
cannot be performed on the same file descriptor. From this reason,
hostname checking was moved into ldap_int_tls_connect() before
connection error handling.
 2017-10-06 10:44:07 -07:00
Quanah Gibson-Mount
43a039eba4 ITS#7428 - Non-blocking TLS is not compatible with MOZNSS 2017-09-26 10:59:08 -07:00
Howard Chu
83fb515555 Fixup cacert/cert/key options 
Add get_option support, allow delete by setting a NULL arg.
 2017-04-09 14:49:48 +01:00
Howard Chu
b402a2805f Add options to use DER format cert+keys directly 
Instead of loading from files.
 2017-04-09 00:13:42 +01:00
Quanah Gibson-Mount
1df85d3427 Happy New Year! 2017-01-03 12:36:47 -08:00
Quanah Gibson-Mount
6c4d6c880b Happy New Year! 2016-01-29 13:32:05 -06:00
Quanah Gibson-Mount
1705fa7e55 Happy New Year 2015-02-11 15:36:57 -06:00
Kurt Zeilenga
5c878c1bf2 Happy new year (belated) 2014-01-25 05:21:25 -08:00
Quanah Gibson-Mount
1a712bf18e Enable features that were hidden behind LDAP_DEVEL 2013-09-19 09:50:52 -07:00
Howard Chu
16f8b0902c ITS#7398 add LDAP_OPT_X_TLS_PEERCERT 
retrieve peer cert for an active TLS session
 2013-09-10 04:31:39 -07:00
Howard Chu
0045e56c34 ITS#7683 more for tls version/cipher info 
Add LDAP_OPT_X_TLS_VERSION / LDAP_OPT_X_TLS_CIPHER for
retrieving from an LDAP session handle. Update ldap_get_option(3).
 2013-09-09 11:52:10 -07:00
Howard Chu
7d6d6944c5 ITS#7683 log tls prot/cipher info 
Note: I could not test the MozNSS patch due to the absence of
NSS PEM support on my machine. Given the review comments in
https://bugzilla.mozilla.org/show_bug.cgi?id=402712 I doubt that
trustworthy PEM support will be appearing for MozNSS any time soon.
 2013-09-07 12:22:09 -07:00
Howard Chu
e631ce808e ITS#7595 Add Elliptic Curve support for OpenSSL 2013-09-07 09:47:40 -07:00
Howard Chu
ca310ebff4 Add channel binding support 
Currently only implemented for OpenSSL.
Needs an option to set the criticality flag.
 2013-08-26 23:31:48 -07:00
Kurt Zeilenga
0fd1bf30b8 Happy New Year 2013-01-02 10:22:57 -08:00
Ralf Haferkamp
c728ebf586 ITS#7428 Use non-blocking IO during SSL Handshake 
If a timeout is set, perform the SSL Handshake using non-blocking IO.  This way
we can timeout if SSL Handshake gets stuck for whatever reason.

This code is currently hidden behind #ifdefs (LDAP_USE_NON_BLOCKING_TLS) and
disabled by default as there seem to be some problems using NON-blocking
I/O during the TLS Handshake when linking against NSS (either a bug in NSS
itself of in tls_m.c, see discussion on -devel)

This patch adds an additional parameter to ldap_int_poll() in order to indicate
if we're waiting in order to perform a read or write operation.
 2012-11-21 14:25:18 +01:00
Kurt Zeilenga
2bbf9804b9 Happy New Year! 2012-01-01 07:10:53 -08:00