Skip to content

Commit a1cb883

Browse files
mistotebemistotebe
committed
Add TLS version numbers and remove unsupported TLS options
Closes #67
1 parent 1625c99 commit a1cb883

File tree

4 files changed

+90
-25
lines changed

4 files changed

+90
-25
lines changed

Doc/reference/ldap.rst

Lines changed: 47 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -372,21 +372,27 @@ TLS options
372372
.. py:data:: OPT_X_TLS_ALLOW
373373
374374
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
375+
and :py:const:`OPT_X_TLS_REQUIRE_SAN`
375376

376377
.. py:data:: OPT_X_TLS_DEMAND
377378
378379
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
380+
and :py:const:`OPT_X_TLS_REQUIRE_SAN`
379381

380382
.. py:data:: OPT_X_TLS_HARD
381383
382384
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
385+
and :py:const:`OPT_X_TLS_REQUIRE_SAN`
383386

384387
.. py:data:: OPT_X_TLS_NEVER
385388
386389
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
390+
and :py:const:`OPT_X_TLS_REQUIRE_SAN`
387391

388392
.. py:data:: OPT_X_TLS_TRY
389393
394+
Value for :py:const:`OPT_X_TLS_REQUIRE_CERT`
395+
390396
.. deprecated:: 3.3.0
391397
This value is only used by slapd server internally. It will be removed
392398
in the future.
@@ -400,10 +406,6 @@ TLS options
400406
401407
get/set allowed cipher suites
402408

403-
.. py:data:: OPT_X_TLS_CTX
404-
405-
get address of internal memory address of TLS context (**DO NOT USE**)
406-
407409
.. py:data:: OPT_X_TLS_PEERCERT
408410
409411
Get peer's certificate as binary ASN.1 data structure (DER)
@@ -417,8 +419,47 @@ TLS options
417419
418420
get/set minimum protocol version (wire protocol version as int)
419421

420-
* ``0x303`` for TLS 1.2
421-
* ``0x304`` for TLS 1.3
422+
.. py:data:: OPT_X_TLS_PROTOCOL_MAX
423+
424+
get/set maximum protocol version (wire protocol version as int),
425+
available in OpenSSL 2.5 and newer.
426+
427+
.. versionadded:: 3.4.1
428+
429+
.. py:data:: OPT_X_TLS_PROTOCOL_SSL3
430+
431+
Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
432+
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents SSL 3
433+
434+
.. versionadded:: 3.4.1
435+
436+
.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_0
437+
438+
Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
439+
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.0
440+
441+
.. versionadded:: 3.4.1
442+
443+
.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_1
444+
445+
Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
446+
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.1
447+
448+
.. versionadded:: 3.4.1
449+
450+
.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_2
451+
452+
Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
453+
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.2
454+
455+
.. versionadded:: 3.4.1
456+
457+
.. py:data:: OPT_X_TLS_PROTOCOL_TLS1_3
458+
459+
Value for :py:const:`OPT_X_TLS_PROTOCOL_MIN` and
460+
:py:const:`OPT_X_TLS_PROTOCOL_MAX`, represents TLS 1.3
461+
462+
.. versionadded:: 3.4.1
422463

423464
.. py:data:: OPT_X_TLS_VERSION
424465
@@ -428,12 +469,6 @@ TLS options
428469
429470
get/set path to /dev/urandom (**DO NOT USE**)
430471

431-
.. py:data:: OPT_X_TLS
432-
433-
.. deprecated:: 3.3.0
434-
The option is deprecated in OpenLDAP and should no longer be used. It
435-
will be removed in the future.
436-
437472
.. note::
438473

439474
OpenLDAP supports several TLS/SSL libraries. OpenSSL is the most common
@@ -923,11 +958,6 @@ and wait for and return with the server's result, or with
923958

924959
The *dn* and *attr* arguments are text strings; see :ref:`bytes_mode`.
925960

926-
.. note::
927-
928-
A design fault in the LDAP API prevents *value*
929-
from containing *NULL* characters.
930-
931961

932962
.. py:method:: LDAPObject.delete(dn) -> int
933963

Lib/ldap/constants.py

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -267,8 +267,6 @@ class Str(Constant):
267267

268268
Int('OPT_DEFBASE', optional=True),
269269

270-
TLSInt('OPT_X_TLS', optional=True),
271-
TLSInt('OPT_X_TLS_CTX'),
272270
TLSInt('OPT_X_TLS_CACERTFILE'),
273271
TLSInt('OPT_X_TLS_CACERTDIR'),
274272
TLSInt('OPT_X_TLS_CERTFILE'),
@@ -306,6 +304,13 @@ class Str(Constant):
306304

307305
# Added in OpenLDAP 2.5
308306
TLSInt('OPT_X_TLS_PEERCERT', optional=True),
307+
TLSInt('OPT_X_TLS_PROTOCOL_MAX', optional=True),
308+
309+
TLSInt('OPT_X_TLS_PROTOCOL_SSL3', optional=True),
310+
TLSInt('OPT_X_TLS_PROTOCOL_TLS1_0', optional=True),
311+
TLSInt('OPT_X_TLS_PROTOCOL_TLS1_1', optional=True),
312+
TLSInt('OPT_X_TLS_PROTOCOL_TLS1_2', optional=True),
313+
TLSInt('OPT_X_TLS_PROTOCOL_TLS1_3', optional=True),
309314

310315
Int('OPT_X_SASL_MECH'),
311316
Int('OPT_X_SASL_REALM'),

Modules/constants_generated.h

Lines changed: 30 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -202,12 +202,6 @@ add_int(OPT_DEFBASE);
202202

203203

204204
#if HAVE_TLS
205-
206-
#if defined(LDAP_OPT_X_TLS)
207-
add_int(OPT_X_TLS);
208-
#endif
209-
210-
add_int(OPT_X_TLS_CTX);
211205
add_int(OPT_X_TLS_CACERTFILE);
212206
add_int(OPT_X_TLS_CACERTDIR);
213207
add_int(OPT_X_TLS_CERTFILE);
@@ -279,6 +273,36 @@ add_int(OPT_X_TLS_REQUIRE_SAN);
279273
add_int(OPT_X_TLS_PEERCERT);
280274
#endif
281275

276+
277+
#if defined(LDAP_OPT_X_TLS_PROTOCOL_MAX)
278+
add_int(OPT_X_TLS_PROTOCOL_MAX);
279+
#endif
280+
281+
282+
#if defined(LDAP_OPT_X_TLS_PROTOCOL_SSL3)
283+
add_int(OPT_X_TLS_PROTOCOL_SSL3);
284+
#endif
285+
286+
287+
#if defined(LDAP_OPT_X_TLS_PROTOCOL_TLS1_0)
288+
add_int(OPT_X_TLS_PROTOCOL_TLS1_0);
289+
#endif
290+
291+
292+
#if defined(LDAP_OPT_X_TLS_PROTOCOL_TLS1_1)
293+
add_int(OPT_X_TLS_PROTOCOL_TLS1_1);
294+
#endif
295+
296+
297+
#if defined(LDAP_OPT_X_TLS_PROTOCOL_TLS1_2)
298+
add_int(OPT_X_TLS_PROTOCOL_TLS1_2);
299+
#endif
300+
301+
302+
#if defined(LDAP_OPT_X_TLS_PROTOCOL_TLS1_3)
303+
add_int(OPT_X_TLS_PROTOCOL_TLS1_3);
304+
#endif
305+
282306
#endif
283307

284308
add_int(OPT_X_SASL_MECH);

Modules/options.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,9 @@ LDAP_set_option(LDAPObject *self, int option, PyObject *value)
9898
#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
9999
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
100100
#endif
101+
#ifdef LDAP_OPT_X_TLS_PROTOCOL_MAX
102+
case LDAP_OPT_X_TLS_PROTOCOL_MAX:
103+
#endif
101104
#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
102105
case LDAP_OPT_X_TLS_REQUIRE_SAN:
103106
#endif
@@ -344,6 +347,9 @@ LDAP_get_option(LDAPObject *self, int option)
344347
#ifdef LDAP_OPT_X_TLS_PROTOCOL_MIN
345348
case LDAP_OPT_X_TLS_PROTOCOL_MIN:
346349
#endif
350+
#ifdef LDAP_OPT_X_TLS_PROTOCOL_MAX
351+
case LDAP_OPT_X_TLS_PROTOCOL_MAX:
352+
#endif
347353
#ifdef LDAP_OPT_X_TLS_REQUIRE_SAN
348354
case LDAP_OPT_X_TLS_REQUIRE_SAN:
349355
#endif

0 commit comments

Comments
 (0)