ejabberd development
  1. ejabberd development
  2. EJAB-1229

Option to enable in LDAPS verification of peer certificate

    Details

      Description

      ejabberd's LDAPS does not check the validity of the peer certificate. This is preferable in most deployments, but in some cases the admin may prefer ejabberd to check that.

      ejabberd could implement a configurable option.

      See topic 1) in https://bugs.launchpad.net/ubuntu/+source/ejabberd/+bug/252698

        Activity

        Hide
        Badlop
        added a comment -

        Proposed patch.

        Show
        Badlop
        added a comment - Proposed patch.
        Hide
        ekhramtsov
        added a comment -

        Done in 3.0.x and 2.1.x

        Show
        ekhramtsov
        added a comment - Done in 3.0.x and 2.1.x
        Hide
        Badlop
        added a comment -

        Note: the code included in ejabberd 2.1.x can be found in this patch:
        https://git.process-one.net/ejabberd/mainline/commit/f58d03c12e1160f40a7c38b61b0b6a47a1bc6a1b.patch

        The patch "1229-21.diff" that I attached in this ticket is old, different, and useless.

        Show
        Badlop
        added a comment - Note: the code included in ejabberd 2.1.x can be found in this patch: https://git.process-one.net/ejabberd/mainline/commit/f58d03c12e1160f40a7c38b61b0b6a47a1bc6a1b.patch The patch "1229-21.diff" that I attached in this ticket is old, different, and useless.
        Hide
        Badlop
        added a comment -

        I've committed a related small patch to 2.1.x and master:

        --- a/src/eldap/eldap.erl
        +++ b/src/eldap/eldap.erl
        @@ -431,8 +431,7 @@ init([]) ->
             end;
         init({Hosts, Port, Rootdn, Passwd, Opts}) ->
             catch ssl:start(),
        -    {X1,X2,X3} = erlang:now(),
        -    ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)),
        +    ssl:seed(randoms:get_string()),
             Encrypt = case proplists:get_value(encrypt, Opts) of
                          tls -> tls;
                          _ -> none
        
        Show
        Badlop
        added a comment - I've committed a related small patch to 2.1.x and master: --- a/src/eldap/eldap.erl +++ b/src/eldap/eldap.erl @@ -431,8 +431,7 @@ init([]) -> end; init({Hosts, Port, Rootdn, Passwd, Opts}) -> catch ssl:start(), - {X1,X2,X3} = erlang:now(), - ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)), + ssl:seed(randoms:get_string()), Encrypt = case proplists:get_value(encrypt, Opts) of tls -> tls; _ -> none

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since last comment:
              3 years, 50 weeks, 2 days ago

              Issue deployment