fix: MozNSS CA certdir does not work together with PEM CA cert file

Resolves: #819536
This commit is contained in:
Jan Vcelak 2012-05-18 12:43:14 +02:00
parent 61feb71485
commit 60d09d71cf
2 changed files with 59 additions and 0 deletions

View File

@ -0,0 +1,56 @@
MozNSS: allow CA certdb together with PEM CA bundle file
Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate
database and TLS_CACERT was set to a PEM bundle file with CA
certificates, the PEM file content was not loaded.
With this patch and the same settings, OpenLDAP can verify certificates
which are signed by CAs stored both in certdb and PEM bundle file.
Author: Jan Vcelak <jvcelak@redhat.com>
Resolves: #819536
Upstream ITS: #7276
---
libraries/libldap/tls_m.c | 16 +++++++++++++---
1 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
index 50c03dd..23d843c 100644
--- a/libraries/libldap/tls_m.c
+++ b/libraries/libldap/tls_m.c
@@ -1683,18 +1683,28 @@ tlsm_deferred_init( void *arg )
ctx->tc_initctx = initctx;
#endif
+ }
+
+ if ( errcode || lt->lt_cacertfile ) {
/* initialize the PEM module */
LDAP_MUTEX_LOCK( &tlsm_init_mutex );
if ( tlsm_init_pem_module() ) {
LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
- errcode = PORT_GetError();
+ int pem_errcode = PORT_GetError();
Debug( LDAP_DEBUG_ANY,
"TLS: could not initialize moznss PEM module - error %d:%s.\n",
- errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
- return -1;
+ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
+
+ if ( errcode ) /* PEM is required */
+ return -1;
+
+ } else if ( !errcode ) {
+ tlsm_init_ca_certs( ctx, lt->lt_cacertfile, NULL );
}
LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
+ }
+ if ( errcode ) {
if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) {
/* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode
will be a value other than 1 - print an error message so that the
--
1.7.7.6

View File

@ -39,6 +39,7 @@ Patch7: openldap-dns-priority.patch
Patch8: openldap-syncrepl-unset-tls-options.patch Patch8: openldap-syncrepl-unset-tls-options.patch
Patch9: openldap-constraint-count.patch Patch9: openldap-constraint-count.patch
Patch10: openldap-man-sasl-nocanon.patch Patch10: openldap-man-sasl-nocanon.patch
Patch11: openldap-nss-allow-ca-dbdir-pemfile.patch
# Fedora specific patches # Fedora specific patches
Patch100: openldap-fedora-systemd.patch Patch100: openldap-fedora-systemd.patch
@ -145,6 +146,7 @@ pushd openldap-%{version}
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1 %patch10 -p1
%patch11 -p1
%patch100 -p1 %patch100 -p1
@ -658,6 +660,7 @@ exit 0
%changelog %changelog
* Fri May 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-2 * Fri May 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-2
- fix: nss-tools package is required by the base package, not the server subpackage - fix: nss-tools package is required by the base package, not the server subpackage
- fix: MozNSS CA certdir does not work together with PEM CA cert file (#819536)
* Tue Apr 24 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-1 * Tue Apr 24 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-1
- new upstream release - new upstream release