Details
-
Type:
Improvement
-
Status:
Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: ejabberd 2.1.4, ejabberd 3.0.0-alpha-1
-
Component/s: LDAP
-
Labels:None
-
Company:
-
Last commented by user ?:false
Description
ejabberd's LDAPS does not check the validity of the peer certificate. This is preferable in most deployments, but in some cases the admin may prefer ejabberd to check that.
ejabberd could implement a configurable option.
See topic 1) in https://bugs.launchpad.net/ubuntu/+source/ejabberd/+bug/252698
Activity
Show
ekhramtsov
added a comment - Done in 3.0.x and 2.1.x
Note: the code included in ejabberd 2.1.x can be found in this patch:
https://git.process-one.net/ejabberd/mainline/commit/f58d03c12e1160f40a7c38b61b0b6a47a1bc6a1b.patch
The patch "1229-21.diff" that I attached in this ticket is old, different, and useless.
I've committed a related small patch to 2.1.x and master:
--- a/src/eldap/eldap.erl
+++ b/src/eldap/eldap.erl
@@ -431,8 +431,7 @@ init([]) ->
end;
init({Hosts, Port, Rootdn, Passwd, Opts}) ->
catch ssl:start(),
- {X1,X2,X3} = erlang:now(),
- ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)),
+ ssl:seed(randoms:get_string()),
Encrypt = case proplists:get_value(encrypt, Opts) of
tls -> tls;
_ -> none
Show
Badlop
added a comment - I've committed a related small patch to 2.1.x and master:
--- a/src/eldap/eldap.erl
+++ b/src/eldap/eldap.erl
@@ -431,8 +431,7 @@ init([]) ->
end;
init({Hosts, Port, Rootdn, Passwd, Opts}) ->
catch ssl:start(),
- {X1,X2,X3} = erlang:now(),
- ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)),
+ ssl:seed(randoms:get_string()),
Encrypt = case proplists:get_value(encrypt, Opts) of
tls -> tls;
_ -> none
Proposed patch.