Uploaded image for project: 'ejabberd development'
  1. ejabberd development
  2. EJAB-1229

Option to enable in LDAPS verification of peer certificate

    Details

      Description

      ejabberd's LDAPS does not check the validity of the peer certificate. This is preferable in most deployments, but in some cases the admin may prefer ejabberd to check that.

      ejabberd could implement a configurable option.

      See topic 1) in https://bugs.launchpad.net/ubuntu/+source/ejabberd/+bug/252698

        Activity

        badlop Badlop created issue -
        Hide
        badlop Badlop added a comment -

        Proposed patch.

        Show
        badlop Badlop added a comment - Proposed patch.
        badlop Badlop made changes -
        Field Original Value New Value
        Attachment 1229-21.diff [ 16547 ]
        badlop Badlop made changes -
        Summary Option to enable un LDAPS verification of peer certificate Option to enable in LDAPS verification of peer certificate
        badlop Badlop made changes -
        Assignee Evgeniy Khramtsov [ ekhramtsov ]
        ekhramtsov ekhramtsov made changes -
        Fix Version/s ejabberd 2.1.4 [ 10573 ]
        Fix Version/s ejabberd 3.0.0-alpha [ 10240 ]
        Hide
        ekhramtsov ekhramtsov added a comment -

        Done in 3.0.x and 2.1.x

        Show
        ekhramtsov ekhramtsov added a comment - Done in 3.0.x and 2.1.x
        ekhramtsov ekhramtsov made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Resolution Fixed [ 1 ]
        Hide
        badlop Badlop added a comment -

        Note: the code included in ejabberd 2.1.x can be found in this patch:
        https://git.process-one.net/ejabberd/mainline/commit/f58d03c12e1160f40a7c38b61b0b6a47a1bc6a1b.patch

        The patch "1229-21.diff" that I attached in this ticket is old, different, and useless.

        Show
        badlop Badlop added a comment - Note: the code included in ejabberd 2.1.x can be found in this patch: https://git.process-one.net/ejabberd/mainline/commit/f58d03c12e1160f40a7c38b61b0b6a47a1bc6a1b.patch The patch "1229-21.diff" that I attached in this ticket is old, different, and useless.
        Hide
        badlop Badlop added a comment -

        I've committed a related small patch to 2.1.x and master:

        --- a/src/eldap/eldap.erl
        +++ b/src/eldap/eldap.erl
        @@ -431,8 +431,7 @@ init([]) ->
             end;
         init({Hosts, Port, Rootdn, Passwd, Opts}) ->
             catch ssl:start(),
        -    {X1,X2,X3} = erlang:now(),
        -    ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)),
        +    ssl:seed(randoms:get_string()),
             Encrypt = case proplists:get_value(encrypt, Opts) of
                          tls -> tls;
                          _ -> none
        
        Show
        badlop Badlop added a comment - I've committed a related small patch to 2.1.x and master: --- a/src/eldap/eldap.erl +++ b/src/eldap/eldap.erl @@ -431,8 +431,7 @@ init([]) -> end; init({Hosts, Port, Rootdn, Passwd, Opts}) -> catch ssl:start(), - {X1,X2,X3} = erlang:now(), - ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)), + ssl:seed(randoms:get_string()), Encrypt = case proplists:get_value(encrypt, Opts) of tls -> tls; _ -> none
        mremond@process-one.net Mickaël Rémond made changes -
        Workflow development v3 [ 71967 ] Development v4 [ 81390 ]

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development