fix: slapd refuses to set up TLS with self-signed PEM certificate
Resolves: #842022
This commit is contained in:
Jan Vcelak
parent
54e357771f
commit
2d64625e78
99
openldap-nss-ignore-untrusted-issuer-server-cert.patch
Normal file
99
openldap-nss-ignore-untrusted-issuer-server-cert.patch
Normal file
@ -0,0 +1,99 @@
|
||||
MozNSS: ignore untrusted issuer error when veryfing server cert
|
||||
|
||||
(Untrusted issuer error can apper with self-signed PEM certificates.)
|
||||
|
||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
Resolves: #842022
|
||||
Upstream ITS: #7331
|
||||
|
||||
---
|
||||
libraries/libldap/tls_m.c | 26 ++++++++++----------------
|
||||
1 file changed, 10 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
index 4b5727b..f37da06 100644
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -992,14 +992,15 @@ tlsm_cert_is_self_issued( CERTCertificate *cert )
|
||||
|
||||
static SECStatus
|
||||
tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
|
||||
- PRBool checksig, SECCertificateUsage certUsage, int errorToIgnore )
|
||||
+ PRBool checksig, SECCertificateUsage certUsage, PRBool warn_only,
|
||||
+ PRBool ignore_issuer )
|
||||
{
|
||||
CERTVerifyLog verifylog;
|
||||
SECStatus ret = SECSuccess;
|
||||
const char *name;
|
||||
int debug_level = LDAP_DEBUG_ANY;
|
||||
|
||||
- if ( errorToIgnore == -1 ) {
|
||||
+ if ( warn_only ) {
|
||||
debug_level = LDAP_DEBUG_TRACE;
|
||||
}
|
||||
|
||||
@@ -1063,7 +1064,11 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
|
||||
|
||||
PR_SetError(orig_error, orig_oserror);
|
||||
|
||||
- } else if ( errorToIgnore && ( node->error == errorToIgnore ) ) {
|
||||
+ } else if ( warn_only || ( ignore_issuer && (
|
||||
+ node->error == SEC_ERROR_UNKNOWN_ISSUER ||
|
||||
+ node->error == SEC_ERROR_UNTRUSTED_ISSUER )
|
||||
+ ) ) {
|
||||
+ ret = SECSuccess;
|
||||
Debug( debug_level,
|
||||
"TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n",
|
||||
name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) );
|
||||
@@ -1084,8 +1089,6 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
|
||||
if ( ret == SECSuccess ) {
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"TLS: certificate [%s] is valid\n", name, 0, 0 );
|
||||
- } else if ( errorToIgnore == -1 ) {
|
||||
- ret = SECSuccess;
|
||||
}
|
||||
|
||||
return ret;
|
||||
@@ -1098,15 +1101,11 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd,
|
||||
SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
|
||||
SECStatus ret = SECSuccess;
|
||||
CERTCertificate *peercert = SSL_PeerCertificate( fd );
|
||||
- int errorToIgnore = 0;
|
||||
tlsm_ctx *ctx = (tlsm_ctx *)arg;
|
||||
|
||||
- if (ctx && ctx->tc_warn_only )
|
||||
- errorToIgnore = -1;
|
||||
-
|
||||
ret = tlsm_verify_cert( ctx->tc_certdb, peercert,
|
||||
SSL_RevealPinArg( fd ),
|
||||
- checksig, certUsage, errorToIgnore );
|
||||
+ checksig, certUsage, ctx->tc_warn_only, PR_FALSE );
|
||||
CERT_DestroyCertificate( peercert );
|
||||
|
||||
return ret;
|
||||
@@ -1815,7 +1814,6 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx)
|
||||
SECCertificateUsage certUsage;
|
||||
PRBool checkSig;
|
||||
SECStatus status;
|
||||
- int errorToIgnore;
|
||||
void *pin_arg;
|
||||
|
||||
if (tlsm_ctx_load_private_key(ctx))
|
||||
@@ -1824,13 +1822,9 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx)
|
||||
pin_arg = SSL_RevealPinArg(ctx->tc_model);
|
||||
certUsage = ctx->tc_is_server ? certificateUsageSSLServer : certificateUsageSSLClient;
|
||||
checkSig = ctx->tc_verify_cert ? PR_TRUE : PR_FALSE;
|
||||
- if ( ctx->tc_warn_only )
|
||||
- errorToIgnore = -1;
|
||||
- else
|
||||
- errorToIgnore = SEC_ERROR_UNKNOWN_ISSUER; /* may not have a CA cert */
|
||||
|
||||
status = tlsm_verify_cert( ctx->tc_certdb, ctx->tc_certificate, pin_arg,
|
||||
- checkSig, certUsage, errorToIgnore );
|
||||
+ checkSig, certUsage, ctx->tc_warn_only, PR_TRUE );
|
||||
|
||||
return status == SECSuccess ? 0 : -1;
|
||||
}
|
||||
--
|
||||
1.7.11.2
|
||||
|
||||
@ -8,7 +8,7 @@
|
||||
|
||||
Name: openldap
|
||||
Version: 2.4.31
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
Summary: LDAP support libraries
|
||||
Group: System Environment/Daemons
|
||||
License: OpenLDAP
|
||||
@ -47,6 +47,7 @@ Patch15: openldap-cve-nss-cipher-suite-ignored.patch
|
||||
Patch16: openldap-nss-default-cipher-suite-always-selected.patch
|
||||
Patch17: openldap-nss-multiple-tls-contexts.patch
|
||||
Patch18: openldap-ai-addrconfig.patch
|
||||
Patch19: openldap-nss-ignore-untrusted-issuer-server-cert.patch
|
||||
|
||||
# Fedora specific patches
|
||||
Patch100: openldap-autoconf-pkgconfig-nss.patch
|
||||
@ -167,6 +168,7 @@ ln -s %{_includedir}/nspr4 include/nspr
|
||||
%patch16 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
|
||||
%patch101 -p1
|
||||
|
||||
@ -624,6 +626,9 @@ exit 0
|
||||
%{evolution_connector_prefix}/
|
||||
|
||||
%changelog
|
||||
* Sat Jul 21 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-7
|
||||
- fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022)
|
||||
|
||||
* Fri Jul 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-6
|
||||
- multilib fix: move libslapi from openldap-servers to openldap package
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user