From 4ce309d968cfe02c402d07b2911241c38a8adf6b Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Wed, 24 Jun 2026 01:59:05 -0400 Subject: [PATCH] ldap: support insecure mode for Windows native LDAP - Bypass cert verification if verifypeer is disabled. Prior to this change libcurl lacked the ability to bypass certificate verification for Windows native LDAP (USE_WIN32_LDAP). A comment said "Win32 LDAP SDK does not support insecure mode without CA!" but I found that we can bypass the check by setting a verify callback to override Windows' internal verify check. Closes https://github.com/curl/curl/pull/22152 --- lib/ldap.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/lib/ldap.c b/lib/ldap.c index a6a69eb7f1..29bc5efab2 100644 --- a/lib/ldap.c +++ b/lib/ldap.c @@ -251,6 +251,17 @@ static bool ldap_value_needs_base64(const char *attr, size_t attr_len, return FALSE; } +#ifdef USE_WIN32_LDAP +static BOOLEAN bypass_cert_verify(PLDAP Connection, + PCCERT_CONTEXT *ppServerCert) +{ + (void)Connection; + CertFreeCertificateContext(*ppServerCert); + /* approve any certificate since the verification is set to bypass */ + return TRUE; +} +#endif + static CURLcode ldap_do(struct Curl_easy *data, bool *done) { CURLcode result = CURLE_OK; @@ -340,8 +351,18 @@ static CURLcode ldap_do(struct Curl_easy *data, bool *done) if(ldap_ssl) { #ifdef HAVE_LDAP_SSL #ifdef USE_WIN32_LDAP - /* Win32 LDAP SDK does not support insecure mode without CA! */ + /* Win32 LDAP uses the Windows CA store to verify certificates */ ldap_set_option(server, LDAP_OPT_SSL, LDAP_OPT_ON); + if(!conn->ssl_config.verifypeer) { + if(conn->ssl_config.verifyhost) { + failf(data, "LDAP local: host verification cannot be enabled when " + "peer verification is disabled for Windows native LDAP"); + result = CURLE_NOT_BUILT_IN; + goto quit; + } + ldap_set_option(server, LDAP_OPT_SERVER_CERTIFICATE, + (void *)(uintptr_t)bypass_cert_verify); + } #else /* !USE_WIN32_LDAP */ int ldap_option; const char *ldap_ca = conn->ssl_config.CAfile;