Skip to content

Commit 2fc51b2

Browse files
tirantiran
committed
Add OPT_X_TLS_REQUIRE_SAN
Add bindings for OPT_X_TLS_REQUIRE_SAN option. The flag was introduced in OpenLDAP 2.4.52 to configure subject alternative name verification. Signed-off-by: Christian Heimes <cheimes@redhat.com>
1 parent 69867f5 commit 2fc51b2

File tree

5 files changed

+59
-0
lines changed

5 files changed

+59
-0
lines changed

Doc/reference/ldap.rst

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -346,6 +346,29 @@ TLS options
346346
:py:const:`OPT_X_TLS_HARD`
347347
Same as :py:const:`OPT_X_TLS_DEMAND`
348348

349+
.. py:data:: OPT_X_TLS_REQUIRE_SAN
350+
351+
get/set how OpenLDAP validates subject alternative name extension,
352+
available in OpenSSL 2.4.52 and newer.
353+
354+
:py:const:`OPT_X_TLS_NEVER`
355+
Don't check SAN
356+
357+
:py:const:`OPT_X_TLS_ALLOW`
358+
Check SAN first, always fall back to subject common name (default)
359+
360+
:py:const:`OPT_X_TLS_TRY`
361+
Check SAN first, only fall back to subject common name, when no SAN
362+
extension is present (:rfc:`6125` conform validation)
363+
364+
:py:const:`OPT_X_TLS_DEMAND`
365+
Validate peer cert chain and host name
366+
367+
:py:const:`OPT_X_TLS_HARD`
368+
Require SAN, don't fall back to subject common name
369+
370+
.. versionadded:: 3.4.0
371+
349372
.. py:data:: OPT_X_TLS_ALLOW
350373
351374
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`

Lib/ldap/constants.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -298,6 +298,9 @@ class Str(Constant):
298298
TLSInt('OPT_X_TLS_PROTOCOL_MIN', optional=True),
299299
TLSInt('OPT_X_TLS_PACKAGE', optional=True),
300300

301+
# Added in OpenLDAP 2.4.52
302+
TLSInt('OPT_X_TLS_REQUIRE_SAN', optional=True),
303+
301304
Int('OPT_X_SASL_MECH'),
302305
Int('OPT_X_SASL_REALM'),
303306
Int('OPT_X_SASL_AUTHCID'),

Modules/constants_generated.h

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -249,6 +249,10 @@ add_int(OPT_X_TLS_PROTOCOL_MIN);
249249
add_int(OPT_X_TLS_PACKAGE);
250250
#endif
251251

252+
#if defined(LDAP_OPT_X_TLS_REQUIRE_SAN)
253+
add_int(OPT_X_TLS_REQUIRE_SAN);
254+
#endif
255+
252256
#endif
253257

254258
add_int(OPT_X_SASL_MECH);

Modules/options.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,9 @@ LDAP_set_option(LDAPObject *self, int option, PyObject *value)
8888
#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
8989
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
9090
#endif
91+
#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
92+
case LDAP_OPT_X_TLS_REQUIRE_SAN:
93+
#endif
9194
#endif
9295
#ifdef HAVE_SASL
9396
case LDAP_OPT_X_SASL_SSF_MIN:
@@ -298,6 +301,9 @@ LDAP_get_option(LDAPObject *self, int option)
298301
#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
299302
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
300303
#endif
304+
#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
305+
case LDAP_OPT_X_TLS_REQUIRE_SAN:
306+
#endif
301307
#endif
302308
#ifdef HAVE_SASL
303309
case LDAP_OPT_X_SASL_SSF_MIN:

Tests/t_cext.py

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -932,6 +932,29 @@ def test_tls_packages(self):
932932
package = _ldap.get_option(_ldap.OPT_X_TLS_PACKAGE)
933933
self.assertIn(package, {"GnuTLS", "MozNSS", "OpenSSL"})
934934

935+
@unittest.skipUnless(
936+
hasattr(_ldap, "OPT_X_TLS_REQUIRE_SAN"),
937+
reason="Test requires OPT_X_TLS_REQUIRE_SAN"
938+
)
939+
def test_require_san(self):
940+
l = self._open_conn(bind=False)
941+
value = l.get_option(_ldap.OPT_X_TLS_REQUIRE_SAN)
942+
self.assertIn(
943+
value,
944+
{
945+
_ldap.OPT_X_TLS_NEVER,
946+
_ldap.OPT_X_TLS_ALLOW,
947+
_ldap.OPT_X_TLS_TRY,
948+
_ldap.OPT_X_TLS_DEMAND,
949+
_ldap.OPT_X_TLS_HARD,
950+
}
951+
)
952+
l.set_option(_ldap.OPT_X_TLS_REQUIRE_SAN, _ldap.OPT_X_TLS_TRY)
953+
self.assertEqual(
954+
l.get_option(_ldap.OPT_X_TLS_REQUIRE_SAN),
955+
_ldap.OPT_X_TLS_TRY
956+
)
957+
935958

936959
if __name__ == '__main__':
937960
unittest.main()

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy