Headline
CVE-2020-36659: Add ldapVerify option for SSL cert validation · LemonLDAPNG/Apache-Session-Browseable@fdf3932
In Apache::Session::Browseable before 1.3.6, validity of the X.509 certificate is not checked by default when connecting to remote LDAP backends, because the default configuration of the Net::LDAPS module for Perl is used. NOTE: this can, for example, be fixed in conjunction with the CVE-2020-16093 fix.
@@ -154,10 +154,18 @@ sub ldap { push @servers, $server; }
Compatibility my $caFile = $self->{args}->{ldapCAFile} || $self->{args}->{caFile}; my $caPath = $self->{args}->{ldapCAPath} || $self->{args}->{caPath};
Connect my $ldap = Net::LDAP->new( \@servers, onerror => undef, verify => $self->{args}->{ldapVerify} || "require", ( $caFile ? ( cafile => $caFile ) : () ), ( $caPath ? ( capath => $caPath ) : () ),
( $self->{args}->{ldapRaw} ? ( raw => $self->{args}->{ldapRaw} ) : () @@ -169,10 +177,12 @@ sub ldap { ) or die( 'Unable to connect to ' . join( ' ', @servers ) );
Start TLS if needed
if ($useTls) { my %h = split( /[&=]/, $tlsParam ); $h{cafile} = $self->{args}->{caFile} if ( $self->{args}->{caFile} ); $h{capath} = $self->{args}->{caPath} if ( $self->{args}->{caPath} ); $h{verify} = $self->{args}->{ldapVerify} || "require"; $h{cafile} = $caFile if ( $caFile ); $h{capath} = $caPath if ( $caPath ); my $start_tls = $ldap->start_tls(%h); if ( $start_tls->code ) { $self->logError($start_tls);