Uploaded image for project: 'ejabberd development'
  1. ejabberd development
  2. EJAB-1229

Option to enable in LDAPS verification of peer certificate

    Details

      Description

      ejabberd's LDAPS does not check the validity of the peer certificate. This is preferable in most deployments, but in some cases the admin may prefer ejabberd to check that.

      ejabberd could implement a configurable option.

      See topic 1) in https://bugs.launchpad.net/ubuntu/+source/ejabberd/+bug/252698

        Expenses

          Activity

          Hide
          badlop Badlop added a comment -

          Proposed patch.

          Show
          badlop Badlop added a comment - Proposed patch.
          Hide
          ekhramtsov ekhramtsov added a comment -

          Done in 3.0.x and 2.1.x

          Show
          ekhramtsov ekhramtsov added a comment - Done in 3.0.x and 2.1.x
          Hide
          badlop Badlop added a comment -

          Note: the code included in ejabberd 2.1.x can be found in this patch:
          https://git.process-one.net/ejabberd/mainline/commit/f58d03c12e1160f40a7c38b61b0b6a47a1bc6a1b.patch

          The patch "1229-21.diff" that I attached in this ticket is old, different, and useless.

          Show
          badlop Badlop added a comment - Note: the code included in ejabberd 2.1.x can be found in this patch: https://git.process-one.net/ejabberd/mainline/commit/f58d03c12e1160f40a7c38b61b0b6a47a1bc6a1b.patch The patch "1229-21.diff" that I attached in this ticket is old, different, and useless.
          Hide
          badlop Badlop added a comment -

          I've committed a related small patch to 2.1.x and master:

          --- a/src/eldap/eldap.erl
          +++ b/src/eldap/eldap.erl
          @@ -431,8 +431,7 @@ init([]) ->
               end;
           init({Hosts, Port, Rootdn, Passwd, Opts}) ->
               catch ssl:start(),
          -    {X1,X2,X3} = erlang:now(),
          -    ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)),
          +    ssl:seed(randoms:get_string()),
               Encrypt = case proplists:get_value(encrypt, Opts) of
                            tls -> tls;
                            _ -> none
          
          Show
          badlop Badlop added a comment - I've committed a related small patch to 2.1.x and master: --- a/src/eldap/eldap.erl +++ b/src/eldap/eldap.erl @@ -431,8 +431,7 @@ init([]) -> end; init({Hosts, Port, Rootdn, Passwd, Opts}) -> catch ssl:start(), - {X1,X2,X3} = erlang:now(), - ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)), + ssl:seed(randoms:get_string()), Encrypt = case proplists:get_value(encrypt, Opts) of tls -> tls; _ -> none

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development