From 2dfe3f35c7fef4792f15f0b3f9c9a10e5f9a4692 Mon Sep 17 00:00:00 2001 From: Simon Pichugin Date: Thu, 5 Aug 2021 16:15:09 +0200 Subject: [PATCH] Change TLS_REQSAN default to TRY --- doc/man/man5/ldap.conf.5 | 2 +- libraries/libldap/init.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 index cde2c875f..9f1aa2c0a 100644 --- a/doc/man/man5/ldap.conf.5 +++ b/doc/man/man5/ldap.conf.5 @@ -479,7 +479,6 @@ The client will not check any SAN in the certificate. The SAN is checked against the specified hostname. If a SAN is present but none match the specified hostname, the SANs are ignored and the usual check against the certificate DN is used. -This is the default setting. .TP .B try The SAN is checked against the specified hostname. If no SAN is present @@ -487,6 +486,7 @@ in the server certificate, the usual check against the certificate DN is used. If a SAN is present but doesn't match the specified hostname, the session is immediately terminated. This setting may be preferred when a mix of certs with and without SANs are in use. +This is the default setting. .TP .B demand | hard These keywords are equivalent. The SAN is checked against the specified diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c index 0d91808ec..fa4c176fd 100644 --- a/libraries/libldap/init.c +++ b/libraries/libldap/init.c @@ -625,7 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl gopts->ldo_tls_connect_cb = NULL; gopts->ldo_tls_connect_arg = NULL; gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND; - gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW; + gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_TRY; #endif gopts->ldo_keepalive_probes = 0; gopts->ldo_keepalive_interval = 0; -- 2.31.1