.IP CURLUSESSL_NONE
do not attempt to use SSL.
.IP CURLUSESSL_TRY
-Try using SSL, proceed as normal otherwise.
+Try using SSL, proceed as normal otherwise. Note that server may close the
+connection if the negotiation does not succeed.
.IP CURLUSESSL_CONTROL
Require SSL for the control connection or fail with \fICURLE_USE_SSL_FAILED\fP.
.IP CURLUSESSL_ALL
.SH DEFAULT
CURLUSESSL_NONE
.SH PROTOCOLS
-FTP, SMTP, POP3, IMAP
+FTP, SMTP, POP3, IMAP, LDAP
.SH EXAMPLE
.nf
CURL *curl = curl_easy_init();
.SH AVAILABILITY
Added in 7.11.0. This option was known as CURLOPT_FTP_SSL up to 7.16.4, and
the constants were known as CURLFTPSSL_*
+Handled by LDAP since 7.81.0. Fully supported by the openldap backend only.
.SH RETURN VALUE
Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
.SH "SEE ALSO"
typedef enum {
OLDAP_STOP, /* Do nothing state, stops the state machine */
OLDAP_SSL, /* Performing SSL handshake. */
+ OLDAP_STARTTLS, /* STARTTLS request sent. */
+ OLDAP_TLS, /* Performing TLS handshake. */
OLDAP_BIND, /* Simple bind reply. */
OLDAP_BINDV2, /* Simple bind reply in protocol version 2. */
OLDAP_LAST /* Never used */
static const char * const names[] = {
"STOP",
"SSL",
+ "STARTTLS",
+ "TLS",
"BIND",
"BINDV2",
/* LAST */
li->proto = proto;
conn->proto.ldapc = li;
connkeep(conn, "OpenLDAP default");
+
+ /* Clear the TLS upgraded flag */
+ conn->bits.tls_upgraded = FALSE;
+
return CURLE_OK;
}
return conn->proto.ldapc->recv != NULL;
}
-static CURLcode oldap_ssl_connect(struct Curl_easy *data)
+static CURLcode oldap_ssl_connect(struct Curl_easy *data, ldapstate newstate)
{
CURLcode result = CURLE_OK;
struct connectdata *conn = data->conn;
result = Curl_ssl_connect_nonblocking(data, conn, FALSE,
FIRSTSOCKET, &ssldone);
if(!result) {
- state(data, OLDAP_SSL);
+ state(data, newstate);
if(ssldone) {
Sockbuf *sb;
return result;
}
+
+/* Send the STARTTLS request */
+static CURLcode oldap_perform_starttls(struct Curl_easy *data)
+{
+ CURLcode result = CURLE_OK;
+ struct ldapconninfo *li = data->conn->proto.ldapc;
+ int rc = ldap_start_tls(li->ld, NULL, NULL, &li->msgid);
+
+ if(rc == LDAP_SUCCESS)
+ state(data, OLDAP_STARTTLS);
+ else
+ result = oldap_map_error(rc, CURLE_USE_SSL_FAILED);
+ return result;
+}
#endif
static CURLcode oldap_connect(struct Curl_easy *data, bool *done)
#ifdef USE_SSL
if(conn->handler->flags & PROTOPT_SSL)
- return oldap_ssl_connect(data);
+ return oldap_ssl_connect(data, OLDAP_SSL);
+
+ if(data->set.use_ssl) {
+ CURLcode result = oldap_perform_starttls(data);
+
+ if(!result || data->set.use_ssl != CURLUSESSL_TRY)
+ return result;
+ }
#endif
/* Force bind even if anonymous bind is not needed in protocol version 3
int code = LDAP_SUCCESS;
int rc;
- if(li->state != OLDAP_SSL) {
+ if(li->state != OLDAP_SSL && li->state != OLDAP_TLS) {
/* Get response to last command. */
rc = ldap_result(li->ld, li->msgid, LDAP_MSG_ONE, &tv, &msg);
if(!rc)
code = rc;
/* If protocol version 3 is not supported, fallback to version 2. */
- if(code == LDAP_PROTOCOL_ERROR && li->state != OLDAP_BINDV2) {
+ if(code == LDAP_PROTOCOL_ERROR && li->state != OLDAP_BINDV2
+#ifdef USE_SSL
+ && (ssl_installed(conn) || data->set.use_ssl <= CURLUSESSL_TRY)
+#endif
+ ) {
static const int version = LDAP_VERSION2;
ldap_set_option(li->ld, LDAP_OPT_PROTOCOL_VERSION, &version);
#ifdef USE_SSL
case OLDAP_SSL:
- result = oldap_ssl_connect(data);
+ result = oldap_ssl_connect(data, OLDAP_SSL);
if(!result && ssl_installed(conn))
result = oldap_perform_bind(data, OLDAP_BIND);
break;
+ case OLDAP_STARTTLS:
+ if(code != LDAP_SUCCESS) {
+ if(data->set.use_ssl != CURLUSESSL_TRY)
+ result = oldap_map_error(code, CURLE_USE_SSL_FAILED);
+ else
+ result = oldap_perform_bind(data, OLDAP_BIND);
+ break;
+ }
+ /* FALLTHROUGH */
+ case OLDAP_TLS:
+ result = oldap_ssl_connect(data, OLDAP_TLS);
+ if(result && data->set.use_ssl != CURLUSESSL_TRY)
+ result = oldap_map_error(code, CURLE_USE_SSL_FAILED);
+ else if(ssl_installed(conn)) {
+ conn->bits.tls_upgraded = TRUE;
+ if(conn->bits.user_passwd)
+ result = oldap_perform_bind(data, OLDAP_BIND);
+ else {
+ state(data, OLDAP_STOP); /* Version 3 supported: no bind required */
+ result = CURLE_OK;
+ }
+ }
+ break;
#endif
case OLDAP_BIND:
projects / thirdparty / curl.git / commitdiff
