CVE-2016-2113: s4:librpc/rpc: verify the rpc_proxy certificate and hostname if configured
[samba.git] / source4 / librpc / rpc / dcerpc_roh.c
index c4842fb8cb64c04344066b378883982f0e15fc55..6da29787fbe94d232ba0c3d8878a803c37d7d63c 100644 (file)
@@ -185,10 +185,17 @@ struct tevent_req *dcerpc_pipe_open_roh_send(struct dcecli_connection *conn,
 
        /* Initialize TLS */
        if (use_tls) {
-               status = tstream_tls_params_client(state->roh, NULL, NULL,
-                                                  lpcfg_tls_priority(lp_ctx),
-                                                  TLS_VERIFY_PEER_NO_CHECK,
-                                                  NULL,
+               char *ca_file = lpcfg_tls_cafile(state, lp_ctx);
+               char *crl_file = lpcfg_tls_crlfile(state, lp_ctx);
+               const char *tls_priority = lpcfg_tls_priority(lp_ctx);
+               enum tls_verify_peer_state verify_peer =
+                       lpcfg_tls_verify_peer(lp_ctx);
+
+               status = tstream_tls_params_client(state->roh,
+                                                  ca_file, crl_file,
+                                                  tls_priority,
+                                                  verify_peer,
+                                                  state->rpc_proxy,
                                                   &state->tls_params);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(0,("%s: Failed tstream_tls_params_client - %s\n",