Skip to content

Commit 5cac85a

Browse files
mistotebemistotebe
committed
Add TLS version numbers and remove unsupported TLS options
Closes python-ldap#67
1 parent 6462e58 commit 5cac85a

File tree

4 files changed

+90
-25
lines changed

4 files changed

+90
-25
lines changed

Doc/reference/ldap.rst

Lines changed: 47 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -372,21 +372,27 @@ TLS options
372372
.. py:data:: OPT_X_TLS_ALLOW
373373
374374
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
375+
and :py:const:`OPT_X_TLS_REQUIRE_SAN`
375376

376377
.. py:data:: OPT_X_TLS_DEMAND
377378
378379
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
380+
and :py:const:`OPT_X_TLS_REQUIRE_SAN`
379381

380382
.. py:data:: OPT_X_TLS_HARD
381383
382384
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
385+
and :py:const:`OPT_X_TLS_REQUIRE_SAN`
383386

384387
.. py:data:: OPT_X_TLS_NEVER
385388
386389
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
390+
and :py:const:`OPT_X_TLS_REQUIRE_SAN`
387391

388392
.. py:data:: OPT_X_TLS_TRY
389393
394+
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
395+
390396
.. deprecated:: 3.3.0
391397
This value is only used by slapd server internally. It will be removed
392398
in the future.
@@ -400,10 +406,6 @@ TLS options
400406
401407
get/set allowed cipher suites
402408

403-
.. py:data:: OPT_X_TLS_CTX
404-
405-
get address of internal memory address of TLS context (**DO NOT USE**)
406-
407409
.. py:data:: OPT_X_TLS_PEERCERT
408410
409411
Get peer's certificate as binary ASN.1 data structure (DER)
@@ -417,8 +419,47 @@ TLS options
417419
418420
get/set minimum protocol version (wire protocol version as int)
419421

420-
* ``0x303`` for TLS 1.2
421-
* ``0x304`` for TLS 1.3
422+
.. py:data:: OPT_X_TLS_PROTOCOL_MAX
423+
424+
get/set maximum protocol version (wire protocol version as int),
425+
available in OpenSSL 2.5 and newer.
426+
427+
.. versionadded:: 3.4.1
428+
429+
.. py:data:: OPT_X_TLS_PROTOCOL_SSL3
430+
431+
Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
432+
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents SSL 3
433+
434+
.. versionadded:: 3.4.1
435+
436+
.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_0
437+
438+
Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
439+
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.0
440+
441+
.. versionadded:: 3.4.1
442+
443+
.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_1
444+
445+
Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
446+
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.1
447+
448+
.. versionadded:: 3.4.1
449+
450+
.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_2
451+
452+
Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
453+
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.2
454+
455+
.. versionadded:: 3.4.1
456+
457+
.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_3
458+
459+
Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
460+
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.3
461+
462+
.. versionadded:: 3.4.1
422463

423464
.. py:data:: OPT_X_TLS_VERSION
424465
@@ -428,12 +469,6 @@ TLS options
428469
429470
get/set path to /dev/urandom (**DO NOT USE**)
430471

431-
.. py:data:: OPT_X_TLS
432-
433-
.. deprecated:: 3.3.0
434-
The option is deprecated in OpenLDAP and should no longer be used. It
435-
will be removed in the future.
436-
437472
.. note::
438473

439474
OpenLDAP supports several TLS/SSL libraries. OpenSSL is the most common
@@ -923,11 +958,6 @@ and wait for and return with the server's result, or with
923958

924959
The *dn* and *attr* arguments are text strings; see :ref:`bytes_mode`.
925960

926-
.. note::
927-
928-
A design fault in the LDAP API prevents *value*
929-
from containing *NULL* characters.
930-
931961

932962
.. py:method:: LDAPObject.delete(dn) -> int
933963

Lib/ldap/constants.py

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -267,8 +267,6 @@ class Str(Constant):
267267

268268
Int('OPT_DEFBASE', optional=True),
269269

270-
TLSInt('OPT_X_TLS', optional=True),
271-
TLSInt('OPT_X_TLS_CTX'),
272270
TLSInt('OPT_X_TLS_CACERTFILE'),
273271
TLSInt('OPT_X_TLS_CACERTDIR'),
274272
TLSInt('OPT_X_TLS_CERTFILE'),
@@ -306,6 +304,13 @@ class Str(Constant):
306304

307305
# Added in OpenLDAP 2.5
308306
TLSInt('OPT_X_TLS_PEERCERT', optional=True),
307+
TLSInt('OPT_X_TLS_PROTOCOL_MAX', optional=True),
308+
309+
TLSInt('OPT_X_TLS_PROTOCOL_SSL3', optional=True),
310+
TLSInt('OPT_X_TLS_PROTOCOL_TLS1_0', optional=True),
311+
TLSInt('OPT_X_TLS_PROTOCOL_TLS1_1', optional=True),
312+
TLSInt('OPT_X_TLS_PROTOCOL_TLS1_2', optional=True),
313+
TLSInt('OPT_X_TLS_PROTOCOL_TLS1_3', optional=True),
309314

310315
Int('OPT_X_SASL_MECH'),
311316
Int('OPT_X_SASL_REALM'),

Modules/constants_generated.h

Lines changed: 30 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -202,12 +202,6 @@ add_int(OPT_DEFBASE);
202202

203203

204204
#if HAVE_TLS
205-
206-
#if defined(LDAP_OPT_X_TLS)
207-
add_int(OPT_X_TLS);
208-
#endif
209-
210-
add_int(OPT_X_TLS_CTX);
211205
add_int(OPT_X_TLS_CACERTFILE);
212206
add_int(OPT_X_TLS_CACERTDIR);
213207
add_int(OPT_X_TLS_CERTFILE);
@@ -279,6 +273,36 @@ add_int(OPT_X_TLS_REQUIRE_SAN);
279273
add_int(OPT_X_TLS_PEERCERT);
280274
#endif
281275

276+
277+
#if defined(LDAP_OPT_X_TLS_PROTOCOL_MAX)
278+
add_int(OPT_X_TLS_PROTOCOL_MAX);
279+
#endif
280+
281+
282+
#if defined(LDAP_OPT_X_TLS_PROTOCOL_SSL3)
283+
add_int(OPT_X_TLS_PROTOCOL_SSL3);
284+
#endif
285+
286+
287+
#if defined(LDAP_OPT_X_TLS_PROTOCOL_TLS1_0)
288+
add_int(OPT_X_TLS_PROTOCOL_TLS1_0);
289+
#endif
290+
291+
292+
#if defined(LDAP_OPT_X_TLS_PROTOCOL_TLS1_1)
293+
add_int(OPT_X_TLS_PROTOCOL_TLS1_1);
294+
#endif
295+
296+
297+
#if defined(LDAP_OPT_X_TLS_PROTOCOL_TLS1_2)
298+
add_int(OPT_X_TLS_PROTOCOL_TLS1_2);
299+
#endif
300+
301+
302+
#if defined(LDAP_OPT_X_TLS_PROTOCOL_TLS1_3)
303+
add_int(OPT_X_TLS_PROTOCOL_TLS1_3);
304+
#endif
305+
282306
#endif
283307

284308
add_int(OPT_X_SASL_MECH);

Modules/options.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,9 @@ LDAP_set_option(LDAPObject *self, int option, PyObject *value)
9898
#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
9999
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
100100
#endif
101+
#ifdef LDAP_OPT_X_TLS_PROTOCOL_MAX
102+
case LDAP_OPT_X_TLS_PROTOCOL_MAX:
103+
#endif
101104
#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
102105
case LDAP_OPT_X_TLS_REQUIRE_SAN:
103106
#endif
@@ -344,6 +347,9 @@ LDAP_get_option(LDAPObject *self, int option)
344347
#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
345348
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
346349
#endif
350+
#ifdef LDAP_OPT_X_TLS_PROTOCOL_MAX
351+
case LDAP_OPT_X_TLS_PROTOCOL_MAX:
352+
#endif
347353
#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
348354
case LDAP_OPT_X_TLS_REQUIRE_SAN:
349355
#endif

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy