ejabberd development
  1. ejabberd development
  2. EJAB-1229

Option to enable in LDAPS verification of peer certificate

    Details

      Description

      ejabberd's LDAPS does not check the validity of the peer certificate. This is preferable in most deployments, but in some cases the admin may prefer ejabberd to check that.

      ejabberd could implement a configurable option.

      See topic 1) in https://bugs.launchpad.net/ubuntu/+source/ejabberd/+bug/252698

        Activity

        Hide
        Badlop
        added a comment -

        Proposed patch.

        Show
        Badlop
        added a comment - Proposed patch.
        Badlop
        made changes -
        Field Original Value New Value
        Attachment 1229-21.diff [ 16547 ]
        Badlop
        made changes -
        Summary Option to enable un LDAPS verification of peer certificate Option to enable in LDAPS verification of peer certificate
        Badlop
        made changes -
        Assignee Evgeniy Khramtsov [ ekhramtsov ]
        ekhramtsov
        made changes -
        Fix Version/s ejabberd 2.1.4 [ 10573 ]
        Fix Version/s ejabberd 3.0.0-alpha [ 10240 ]
        Hide
        ekhramtsov
        added a comment -

        Done in 3.0.x and 2.1.x

        Show
        ekhramtsov
        added a comment - Done in 3.0.x and 2.1.x
        ekhramtsov
        made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Resolution Fixed [ 1 ]
        Hide
        Badlop
        added a comment -

        Note: the code included in ejabberd 2.1.x can be found in this patch:
        https://git.process-one.net/ejabberd/mainline/commit/f58d03c12e1160f40a7c38b61b0b6a47a1bc6a1b.patch

        The patch "1229-21.diff" that I attached in this ticket is old, different, and useless.

        Show
        Badlop
        added a comment - Note: the code included in ejabberd 2.1.x can be found in this patch: https://git.process-one.net/ejabberd/mainline/commit/f58d03c12e1160f40a7c38b61b0b6a47a1bc6a1b.patch The patch "1229-21.diff" that I attached in this ticket is old, different, and useless.
        Badlop
        10/05/10 15:38
        View full commit
        Use a standard method to get a random seed (EJAB-1229)
        Badlop
        10/05/10 15:39
        View full commit
        Use a standard method to get a random seed (EJAB-1229)
        Badlop
        10/05/10 15:39
        View full commit
        Use a standard method to get a random seed (EJAB-1229)
        Badlop
        10/05/10 15:39
        View full commit
        Use a standard method to get a random seed (EJAB-1229)
        Hide
        Badlop
        added a comment -

        I've committed a related small patch to 2.1.x and master:

        --- a/src/eldap/eldap.erl
        +++ b/src/eldap/eldap.erl
        @@ -431,8 +431,7 @@ init([]) ->
             end;
         init({Hosts, Port, Rootdn, Passwd, Opts}) ->
             catch ssl:start(),
        -    {X1,X2,X3} = erlang:now(),
        -    ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)),
        +    ssl:seed(randoms:get_string()),
             Encrypt = case proplists:get_value(encrypt, Opts) of
                          tls -> tls;
                          _ -> none
        
        Show
        Badlop
        added a comment - I've committed a related small patch to 2.1.x and master: --- a/src/eldap/eldap.erl +++ b/src/eldap/eldap.erl @@ -431,8 +431,7 @@ init([]) -> end; init({Hosts, Port, Rootdn, Passwd, Opts}) -> catch ssl:start(), - {X1,X2,X3} = erlang:now(), - ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)), + ssl:seed(randoms:get_string()), Encrypt = case proplists:get_value(encrypt, Opts) of tls -> tls; _ -> none
        Mickaël Rémond
        made changes -
        Workflow development v3 [ 71967 ] Development v4 [ 81390 ]

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since last comment:
              3 years, 49 weeks, 3 days ago

              Issue deployment