diff --git a/openldap-nss-ignore-untrusted-issuer-server-cert.patch b/openldap-nss-ignore-untrusted-issuer-server-cert.patch new file mode 100644 index 0000000..2f5442e --- /dev/null +++ b/openldap-nss-ignore-untrusted-issuer-server-cert.patch @@ -0,0 +1,99 @@ +MozNSS: ignore untrusted issuer error when veryfing server cert + +(Untrusted issuer error can apper with self-signed PEM certificates.) + +Author: Jan Vcelak +Resolves: #842022 +Upstream ITS: #7331 + +--- + libraries/libldap/tls_m.c | 26 ++++++++++---------------- + 1 file changed, 10 insertions(+), 16 deletions(-) + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 4b5727b..f37da06 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -992,14 +992,15 @@ tlsm_cert_is_self_issued( CERTCertificate *cert ) + + static SECStatus + tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg, +- PRBool checksig, SECCertificateUsage certUsage, int errorToIgnore ) ++ PRBool checksig, SECCertificateUsage certUsage, PRBool warn_only, ++ PRBool ignore_issuer ) + { + CERTVerifyLog verifylog; + SECStatus ret = SECSuccess; + const char *name; + int debug_level = LDAP_DEBUG_ANY; + +- if ( errorToIgnore == -1 ) { ++ if ( warn_only ) { + debug_level = LDAP_DEBUG_TRACE; + } + +@@ -1063,7 +1064,11 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg, + + PR_SetError(orig_error, orig_oserror); + +- } else if ( errorToIgnore && ( node->error == errorToIgnore ) ) { ++ } else if ( warn_only || ( ignore_issuer && ( ++ node->error == SEC_ERROR_UNKNOWN_ISSUER || ++ node->error == SEC_ERROR_UNTRUSTED_ISSUER ) ++ ) ) { ++ ret = SECSuccess; + Debug( debug_level, + "TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n", + name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) ); +@@ -1084,8 +1089,6 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg, + if ( ret == SECSuccess ) { + Debug( LDAP_DEBUG_TRACE, + "TLS: certificate [%s] is valid\n", name, 0, 0 ); +- } else if ( errorToIgnore == -1 ) { +- ret = SECSuccess; + } + + return ret; +@@ -1098,15 +1101,11 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd, + SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer; + SECStatus ret = SECSuccess; + CERTCertificate *peercert = SSL_PeerCertificate( fd ); +- int errorToIgnore = 0; + tlsm_ctx *ctx = (tlsm_ctx *)arg; + +- if (ctx && ctx->tc_warn_only ) +- errorToIgnore = -1; +- + ret = tlsm_verify_cert( ctx->tc_certdb, peercert, + SSL_RevealPinArg( fd ), +- checksig, certUsage, errorToIgnore ); ++ checksig, certUsage, ctx->tc_warn_only, PR_FALSE ); + CERT_DestroyCertificate( peercert ); + + return ret; +@@ -1815,7 +1814,6 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx) + SECCertificateUsage certUsage; + PRBool checkSig; + SECStatus status; +- int errorToIgnore; + void *pin_arg; + + if (tlsm_ctx_load_private_key(ctx)) +@@ -1824,13 +1822,9 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx) + pin_arg = SSL_RevealPinArg(ctx->tc_model); + certUsage = ctx->tc_is_server ? certificateUsageSSLServer : certificateUsageSSLClient; + checkSig = ctx->tc_verify_cert ? PR_TRUE : PR_FALSE; +- if ( ctx->tc_warn_only ) +- errorToIgnore = -1; +- else +- errorToIgnore = SEC_ERROR_UNKNOWN_ISSUER; /* may not have a CA cert */ + + status = tlsm_verify_cert( ctx->tc_certdb, ctx->tc_certificate, pin_arg, +- checkSig, certUsage, errorToIgnore ); ++ checkSig, certUsage, ctx->tc_warn_only, PR_TRUE ); + + return status == SECSuccess ? 0 : -1; + } +-- +1.7.11.2 + diff --git a/openldap.spec b/openldap.spec index e8351ac..9b112f7 100644 --- a/openldap.spec +++ b/openldap.spec @@ -8,7 +8,7 @@ Name: openldap Version: 2.4.31 -Release: 6%{?dist} +Release: 7%{?dist} Summary: LDAP support libraries Group: System Environment/Daemons License: OpenLDAP @@ -47,6 +47,7 @@ Patch15: openldap-cve-nss-cipher-suite-ignored.patch Patch16: openldap-nss-default-cipher-suite-always-selected.patch Patch17: openldap-nss-multiple-tls-contexts.patch Patch18: openldap-ai-addrconfig.patch +Patch19: openldap-nss-ignore-untrusted-issuer-server-cert.patch # Fedora specific patches Patch100: openldap-autoconf-pkgconfig-nss.patch @@ -167,6 +168,7 @@ ln -s %{_includedir}/nspr4 include/nspr %patch16 -p1 %patch17 -p1 %patch18 -p1 +%patch19 -p1 %patch101 -p1 @@ -624,6 +626,9 @@ exit 0 %{evolution_connector_prefix}/ %changelog +* Sat Jul 21 2012 Jan Vcelak 2.4.31-7 +- fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022) + * Fri Jul 20 2012 Jan Vcelak 2.4.31-6 - multilib fix: move libslapi from openldap-servers to openldap package