fix: MozNSS CA certdir does not work together with PEM CA cert file
Resolves: #819536
This commit is contained in:
Jan Vcelak
parent
61feb71485
commit
60d09d71cf
56
openldap-nss-allow-ca-dbdir-pemfile.patch
Normal file
56
openldap-nss-allow-ca-dbdir-pemfile.patch
Normal file
@ -0,0 +1,56 @@
|
||||
MozNSS: allow CA certdb together with PEM CA bundle file
|
||||
|
||||
Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate
|
||||
database and TLS_CACERT was set to a PEM bundle file with CA
|
||||
certificates, the PEM file content was not loaded.
|
||||
|
||||
With this patch and the same settings, OpenLDAP can verify certificates
|
||||
which are signed by CAs stored both in certdb and PEM bundle file.
|
||||
|
||||
Author: Jan Vcelak <jvcelak@redhat.com>
|
||||
Resolves: #819536
|
||||
Upstream ITS: #7276
|
||||
|
||||
---
|
||||
libraries/libldap/tls_m.c | 16 +++++++++++++---
|
||||
1 files changed, 13 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
index 50c03dd..23d843c 100644
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -1683,18 +1683,28 @@ tlsm_deferred_init( void *arg )
|
||||
ctx->tc_initctx = initctx;
|
||||
#endif
|
||||
|
||||
+ }
|
||||
+
|
||||
+ if ( errcode || lt->lt_cacertfile ) {
|
||||
/* initialize the PEM module */
|
||||
LDAP_MUTEX_LOCK( &tlsm_init_mutex );
|
||||
if ( tlsm_init_pem_module() ) {
|
||||
LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
|
||||
- errcode = PORT_GetError();
|
||||
+ int pem_errcode = PORT_GetError();
|
||||
Debug( LDAP_DEBUG_ANY,
|
||||
"TLS: could not initialize moznss PEM module - error %d:%s.\n",
|
||||
- errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
||||
- return -1;
|
||||
+ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
||||
+
|
||||
+ if ( errcode ) /* PEM is required */
|
||||
+ return -1;
|
||||
+
|
||||
+ } else if ( !errcode ) {
|
||||
+ tlsm_init_ca_certs( ctx, lt->lt_cacertfile, NULL );
|
||||
}
|
||||
LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
|
||||
+ }
|
||||
|
||||
+ if ( errcode ) {
|
||||
if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) {
|
||||
/* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode
|
||||
will be a value other than 1 - print an error message so that the
|
||||
--
|
||||
1.7.7.6
|
||||
|
||||
@ -39,6 +39,7 @@ Patch7: openldap-dns-priority.patch
|
||||
Patch8: openldap-syncrepl-unset-tls-options.patch
|
||||
Patch9: openldap-constraint-count.patch
|
||||
Patch10: openldap-man-sasl-nocanon.patch
|
||||
Patch11: openldap-nss-allow-ca-dbdir-pemfile.patch
|
||||
|
||||
# Fedora specific patches
|
||||
Patch100: openldap-fedora-systemd.patch
|
||||
@ -145,6 +146,7 @@ pushd openldap-%{version}
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
|
||||
%patch100 -p1
|
||||
|
||||
@ -658,6 +660,7 @@ exit 0
|
||||
%changelog
|
||||
* Fri May 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-2
|
||||
- fix: nss-tools package is required by the base package, not the server subpackage
|
||||
- fix: MozNSS CA certdir does not work together with PEM CA cert file (#819536)
|
||||
|
||||
* Tue Apr 24 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-1
|
||||
- new upstream release
|
||||
|
||||
Loading…
Reference in New Issue
Block a user