fix: some server certificates refused with inadequate type error

Resolves: #668899
This commit is contained in:
Jan Vcelak 2011-01-20 16:19:39 +01:00
parent 660d07ac75
commit 4afcb000ed

View File

@ -1,12 +1,12 @@
openldap does not trust certs with Basic Constraint ext. with CA == FALSE openldap does not trust certs with Basic Constraint ext. with CA == FALSE
Resolves: #657984 Resolves: #657984, #668899
Upstream: ITS #6742 Upstream: ITS #6742, #6791
Author: Rich Megginson <rmeggins@redhat.com> Author: Rich Megginson <rmeggins@redhat.com>
diff -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/libldap/tls_m.c diff -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/libldap/tls_m.c
--- openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-06 20:24:54.401170400 +0100 --- openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:06:56.461937417 +0100
+++ openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-06 20:40:21.180097089 +0100 +++ openldap-2.4.23/libraries/libldap/tls_m.c 2011-01-20 16:07:58.494922870 +0100
@@ -63,6 +63,7 @@ @@ -63,6 +63,7 @@
#include <nss/secerr.h> #include <nss/secerr.h>
#include <nss/keyhi.h> #include <nss/keyhi.h>
@ -65,7 +65,7 @@ diff -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/
+ +
+static SECStatus +static SECStatus
+tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg, +tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
+ PRBool checksig, SECCertUsage certUsage, int errorToIgnore ) + PRBool checksig, SECCertificateUsage certUsage, int errorToIgnore )
+{ +{
+ CERTVerifyLog verifylog; + CERTVerifyLog verifylog;
+ SECStatus ret = SECSuccess; + SECStatus ret = SECSuccess;
@ -159,7 +159,7 @@ diff -uNPrp openldap-2.4.23/libraries/libldap/tls_m.c openldap-2.4.23/libraries/
+tlsm_auth_cert_handler(void *arg, PRFileDesc *fd, +tlsm_auth_cert_handler(void *arg, PRFileDesc *fd,
+ PRBool checksig, PRBool isServer) + PRBool checksig, PRBool isServer)
+{ +{
+ SECCertUsage certUsage = isServer ? certUsageSSLClient : certUsageSSLServer; + SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
+ SECStatus ret = SECSuccess; + SECStatus ret = SECSuccess;
+ +
+ ret = tlsm_verify_cert( (CERTCertDBHandle *)arg, SSL_PeerCertificate( fd ), + ret = tlsm_verify_cert( (CERTCertDBHandle *)arg, SSL_PeerCertificate( fd ),