rpms/openldap
6
0
Fork 0
Code Issues Pull Requests Releases Activity

fix: slapd refuses to set up TLS with self-signed PEM certificate

Browse Source 
Resolves: #842022
This commit is contained in:
Jan Vcelak 2012-07-21 16:41:48 +02:00
parent 54e357771f
commit 2d64625e78
2 changed files with 105 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
openldap-nss-ignore-untrusted-issuer-server-cert.patch Normal file
View File

@ -0,0 +1,99 @@
MozNSS: ignore untrusted issuer error when veryfing server cert
(Untrusted issuer error can apper with self-signed PEM certificates.)
Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #842022
Upstream ITS: #7331
---
libraries/libldap/tls_m.c | 26 ++++++++++----------------
1 file changed, 10 insertions(+), 16 deletions(-)
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 4b5727b..f37da06 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -992,14 +992,15 @@ tlsm_cert_is_self_issued( CERTCertificate *cert )
static SECStatus
tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
- PRBool checksig, SECCertificateUsage certUsage, int errorToIgnore )
+ PRBool checksig, SECCertificateUsage certUsage, PRBool warn_only,
+ PRBool ignore_issuer )
{
CERTVerifyLog verifylog;
SECStatus ret = SECSuccess;
const char *name;
int debug_level = LDAP_DEBUG_ANY;
- if ( errorToIgnore == -1 ) {
+ if ( warn_only ) {
debug_level = LDAP_DEBUG_TRACE;
}
@@ -1063,7 +1064,11 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
PR_SetError(orig_error, orig_oserror);
- } else if ( errorToIgnore && ( node->error == errorToIgnore ) ) {
+ } else if ( warn_only || ( ignore_issuer && (
+ node->error == SEC_ERROR_UNKNOWN_ISSUER ||
+ node->error == SEC_ERROR_UNTRUSTED_ISSUER )
+ ) ) {
+ ret = SECSuccess;
Debug( debug_level,
"TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n",
name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) );
@@ -1084,8 +1089,6 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
if ( ret == SECSuccess ) {
Debug( LDAP_DEBUG_TRACE,
"TLS: certificate [%s] is valid\n", name, 0, 0 );
- } else if ( errorToIgnore == -1 ) {
- ret = SECSuccess;
}
return ret;
@@ -1098,15 +1101,11 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd,
SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
SECStatus ret = SECSuccess;
CERTCertificate *peercert = SSL_PeerCertificate( fd );
- int errorToIgnore = 0;
tlsm_ctx *ctx = (tlsm_ctx *)arg;
- if (ctx && ctx->tc_warn_only )
- errorToIgnore = -1;
-
ret = tlsm_verify_cert( ctx->tc_certdb, peercert,
SSL_RevealPinArg( fd ),
- checksig, certUsage, errorToIgnore );
+ checksig, certUsage, ctx->tc_warn_only, PR_FALSE );
CERT_DestroyCertificate( peercert );
return ret;
@@ -1815,7 +1814,6 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx)
SECCertificateUsage certUsage;
PRBool checkSig;
SECStatus status;
- int errorToIgnore;
void *pin_arg;
if (tlsm_ctx_load_private_key(ctx))
@@ -1824,13 +1822,9 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx)
pin_arg = SSL_RevealPinArg(ctx->tc_model);
certUsage = ctx->tc_is_server ? certificateUsageSSLServer : certificateUsageSSLClient;
checkSig = ctx->tc_verify_cert ? PR_TRUE : PR_FALSE;
- if ( ctx->tc_warn_only )
- errorToIgnore = -1;
- else
- errorToIgnore = SEC_ERROR_UNKNOWN_ISSUER; /* may not have a CA cert */
status = tlsm_verify_cert( ctx->tc_certdb, ctx->tc_certificate, pin_arg,
- checkSig, certUsage, errorToIgnore );
+ checkSig, certUsage, ctx->tc_warn_only, PR_TRUE );
return status == SECSuccess ? 0 : -1;
}
--
1.7.11.2

7
openldap.spec
View File

@ -8,7 +8,7 @@
Name: openldap Name: openldap
Version: 2.4.31 Version: 2.4.31
Release: 6%{?dist} Release: 7%{?dist}
Summary: LDAP support libraries Summary: LDAP support libraries
Group: System Environment/Daemons Group: System Environment/Daemons
License: OpenLDAP License: OpenLDAP
@ -47,6 +47,7 @@ Patch15: openldap-cve-nss-cipher-suite-ignored.patch
Patch16: openldap-nss-default-cipher-suite-always-selected.patch Patch16: openldap-nss-default-cipher-suite-always-selected.patch
Patch17: openldap-nss-multiple-tls-contexts.patch Patch17: openldap-nss-multiple-tls-contexts.patch
Patch18: openldap-ai-addrconfig.patch Patch18: openldap-ai-addrconfig.patch
Patch19: openldap-nss-ignore-untrusted-issuer-server-cert.patch
# Fedora specific patches # Fedora specific patches
Patch100: openldap-autoconf-pkgconfig-nss.patch Patch100: openldap-autoconf-pkgconfig-nss.patch
@ -167,6 +168,7 @@ ln -s %{_includedir}/nspr4 include/nspr
%patch16 -p1 %patch16 -p1
%patch17 -p1 %patch17 -p1
%patch18 -p1 %patch18 -p1
%patch19 -p1
%patch101 -p1 %patch101 -p1
@ -624,6 +626,9 @@ exit 0
%{evolution_connector_prefix}/ %{evolution_connector_prefix}/
%changelog %changelog
* Sat Jul 21 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-7
- fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022)
* Fri Jul 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-6 * Fri Jul 20 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-6
- multilib fix: move libslapi from openldap-servers to openldap package - multilib fix: move libslapi from openldap-servers to openldap package