Uploaded image for project: 'ejabberd development'
  1. ejabberd development
  2. EJAB-1229

Option to enable in LDAPS verification of peer certificate

    Details

      Description

      ejabberd's LDAPS does not check the validity of the peer certificate. This is preferable in most deployments, but in some cases the admin may prefer ejabberd to check that.

      ejabberd could implement a configurable option.

      See topic 1) in https://bugs.launchpad.net/ubuntu/+source/ejabberd/+bug/252698

        Expenses

          Activity

          badlop Badlop created issue -
          Hide
          badlop Badlop added a comment -

          Proposed patch.

          Show
          badlop Badlop added a comment - Proposed patch.
          badlop Badlop made changes -
          Field Original Value New Value
          Attachment 1229-21.diff [ 16547 ]
          badlop Badlop made changes -
          Summary Option to enable un LDAPS verification of peer certificate Option to enable in LDAPS verification of peer certificate
          badlop Badlop made changes -
          Assignee Evgeniy Khramtsov [ ekhramtsov ]
          ekhramtsov ekhramtsov made changes -
          Fix Version/s ejabberd 2.1.4 [ 10573 ]
          Fix Version/s ejabberd 3.0.0-alpha [ 10240 ]
          Hide
          ekhramtsov ekhramtsov added a comment -

          Done in 3.0.x and 2.1.x

          Show
          ekhramtsov ekhramtsov added a comment - Done in 3.0.x and 2.1.x
          ekhramtsov ekhramtsov made changes -
          Status Open [ 1 ] Closed [ 6 ]
          Resolution Fixed [ 1 ]
          Hide
          badlop Badlop added a comment -

          Note: the code included in ejabberd 2.1.x can be found in this patch:
          https://git.process-one.net/ejabberd/mainline/commit/f58d03c12e1160f40a7c38b61b0b6a47a1bc6a1b.patch

          The patch "1229-21.diff" that I attached in this ticket is old, different, and useless.

          Show
          badlop Badlop added a comment - Note: the code included in ejabberd 2.1.x can be found in this patch: https://git.process-one.net/ejabberd/mainline/commit/f58d03c12e1160f40a7c38b61b0b6a47a1bc6a1b.patch The patch "1229-21.diff" that I attached in this ticket is old, different, and useless.
          Hide
          badlop Badlop added a comment -

          I've committed a related small patch to 2.1.x and master:

          --- a/src/eldap/eldap.erl
          +++ b/src/eldap/eldap.erl
          @@ -431,8 +431,7 @@ init([]) ->
               end;
           init({Hosts, Port, Rootdn, Passwd, Opts}) ->
               catch ssl:start(),
          -    {X1,X2,X3} = erlang:now(),
          -    ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)),
          +    ssl:seed(randoms:get_string()),
               Encrypt = case proplists:get_value(encrypt, Opts) of
                            tls -> tls;
                            _ -> none
          
          Show
          badlop Badlop added a comment - I've committed a related small patch to 2.1.x and master: --- a/src/eldap/eldap.erl +++ b/src/eldap/eldap.erl @@ -431,8 +431,7 @@ init([]) -> end; init({Hosts, Port, Rootdn, Passwd, Opts}) -> catch ssl:start(), - {X1,X2,X3} = erlang:now(), - ssl:seed(integer_to_list(X1) ++ integer_to_list(X2) ++ integer_to_list(X3)), + ssl:seed(randoms:get_string()), Encrypt = case proplists:get_value(encrypt, Opts) of tls -> tls; _ -> none
          mremond@process-one.net Mickaël Rémond made changes -
          Workflow development v3 [ 71967 ] Development v4 [ 81390 ]

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development