Fix #17776 LDAP_OPT_X_TLS_REQUIRE_CERT can't be overridden

remicollet · remicollet · commit 9dde13a1976f · 2025-02-27T07:28:02.000+01:00
diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
@@ -987,6 +987,17 @@ PHP_FUNCTION(ldap_connect)
 			snprintf( url, urllen, "ldap://%s:" ZEND_LONG_FMT, host, port );
 		}
 
+#ifdef LDAP_OPT_X_TLS_NEWCTX
+		if (url && !strncmp(url, "ldaps:", 6)) {
+			int val = 0;
+
+			/* ensure all pending TLS options are applied in a new context */
+			if (ldap_set_option(NULL, LDAP_OPT_X_TLS_NEWCTX, &val) != LDAP_OPT_SUCCESS) {
+				php_error_docref(NULL, E_WARNING, "Could not create new security context");
+			}
+		}
+#endif
+
 #ifdef LDAP_API_FEATURE_X_OPENLDAP
 		/* ldap_init() is deprecated, use ldap_initialize() instead.
 		 */
@@ -3696,6 +3707,17 @@ PHP_FUNCTION(ldap_start_tls)
 	ld = Z_LDAP_LINK_P(link);
 	VERIFY_LDAP_LINK_CONNECTED(ld);
 
+#ifdef LDAP_OPT_X_TLS_NEWCTX
+	{
+		int val = 0;
+
+		/* ensure all pending TLS options are applied in a new context */
+		if (ldap_set_option(ld->link, LDAP_OPT_X_TLS_NEWCTX, &val) != LDAP_OPT_SUCCESS) {
+			php_error_docref(NULL, E_WARNING, "Could not create new security context");
+		}
+	}
+#endif
+
 	if (((rc = ldap_set_option(ld->link, LDAP_OPT_PROTOCOL_VERSION, &protocol)) != LDAP_SUCCESS) ||
 		((rc = ldap_start_tls_s(ld->link, NULL, NULL)) != LDAP_SUCCESS)
 	) {
