openldap/SOURCES/openldap-change-TLS_REQSAN-default-to-TRY.patch

From 2dfe3f35c7fef4792f15f0b3f9c9a10e5f9a4692 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@rehdat.com>
Date: Thu, 5 Aug 2021 16:15:09 +0200
Subject: [PATCH] Change TLS_REQSAN default to TRY

---
 doc/man/man5/ldap.conf.5 | 2 +-
 libraries/libldap/init.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index cde2c875f..9f1aa2c0a 100644
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -479,7 +479,6 @@ The client will not check any SAN in the certificate.
 The SAN is checked against the specified hostname. If a SAN is
 present but none match the specified hostname, the SANs are ignored
 and the usual check against the certificate DN is used.
-This is the default setting.
 .TP
 .B try
 The SAN is checked against the specified hostname. If no SAN is present
@@ -487,6 +486,7 @@ in the server certificate, the usual check against the certificate DN
 is used. If a SAN is present but doesn't match the specified hostname,
 the session is immediately terminated. This setting may be preferred
 when a mix of certs with and without SANs are in use.
+This is the default setting.
 .TP
 .B demand | hard
 These keywords are equivalent. The SAN is checked against the specified
diff --git a/libraries/libldap/init.c b/libraries/libldap/init.c
index 0d91808ec..fa4c176fd 100644
--- a/libraries/libldap/init.c
+++ b/libraries/libldap/init.c
@@ -625,7 +625,7 @@ void ldap_int_initialize_global_options( struct ldapoptions *gopts, int *dbglvl
 	gopts->ldo_tls_connect_cb = NULL;
 	gopts->ldo_tls_connect_arg = NULL;
 	gopts->ldo_tls_require_cert = LDAP_OPT_X_TLS_DEMAND;
-	gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_ALLOW;
+	gopts->ldo_tls_require_san = LDAP_OPT_X_TLS_TRY;
 #endif
 	gopts->ldo_keepalive_probes = 0;
 	gopts->ldo_keepalive_interval = 0;
-- 
2.31.1