fix: MozNSS CA certdir does not work together with PEM CA cert file
Resolves: #819536
This commit is contained in:
parent
61feb71485
commit
60d09d71cf
56
openldap-nss-allow-ca-dbdir-pemfile.patch
Normal file
56
openldap-nss-allow-ca-dbdir-pemfile.patch
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
MozNSS: allow CA certdb together with PEM CA bundle file
|
||||||
|
|
||||||
|
Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate
|
||||||
|
database and TLS_CACERT was set to a PEM bundle file with CA
|
||||||
|
certificates, the PEM file content was not loaded.
|
||||||
|
|
||||||
|
With this patch and the same settings, OpenLDAP can verify certificates
|
||||||
|
which are signed by CAs stored both in certdb and PEM bundle file.
|
||||||
|
|
||||||
|
Author: Jan Vcelak <jvcelak@redhat.com>
|
||||||
|
Resolves: #819536
|
||||||
|
Upstream ITS: #7276
|
||||||
|
|
||||||
|
---
|
||||||
|
libraries/libldap/tls_m.c | 16 +++++++++++++---
|
||||||
|
1 files changed, 13 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||||
|
index 50c03dd..23d843c 100644
|
||||||
|
--- a/libraries/libldap/tls_m.c
|
||||||
|
+++ b/libraries/libldap/tls_m.c
|
||||||
|
@@ -1683,18 +1683,28 @@ tlsm_deferred_init( void *arg )
|
||||||
|
ctx->tc_initctx = initctx;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if ( errcode || lt->lt_cacertfile ) {
|
||||||
|
/* initialize the PEM module */
|
||||||
|
LDAP_MUTEX_LOCK( &tlsm_init_mutex );
|
||||||
|
if ( tlsm_init_pem_module() ) {
|
||||||
|
LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
|
||||||
|
- errcode = PORT_GetError();
|
||||||
|
+ int pem_errcode = PORT_GetError();
|
||||||
|
Debug( LDAP_DEBUG_ANY,
|
||||||
|
"TLS: could not initialize moznss PEM module - error %d:%s.\n",
|
||||||
|
- errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
||||||
|
- return -1;
|
||||||
|
+ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
||||||
|
+
|
||||||
|
+ if ( errcode ) /* PEM is required */
|
||||||
|
+ return -1;
|
||||||
|
+
|
||||||
|
+ } else if ( !errcode ) {
|
||||||
|
+ tlsm_init_ca_certs( ctx, lt->lt_cacertfile, NULL );
|
||||||
|
}
|
||||||
|
LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
|
||||||
|
+ }
|
||||||
|
|
||||||
|
+ if ( errcode ) {
|
||||||
|
if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) {
|
||||||
|
/* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode
|
||||||
|
will be a value other than 1 - print an error message so that the
|
||||||
|
--
|
||||||
|
1.7.7.6
|
||||||
|
|
@ -39,6 +39,7 @@ Patch7: openldap-dns-priority.patch
|
|||||||
Patch8: openldap-syncrepl-unset-tls-options.patch
|
Patch8: openldap-syncrepl-unset-tls-options.patch
|
||||||
Patch9: openldap-constraint-count.patch
|
Patch9: openldap-constraint-count.patch
|
||||||
Patch10: openldap-man-sasl-nocanon.patch
|
Patch10: openldap-man-sasl-nocanon.patch
|
||||||
|
Patch11: openldap-nss-allow-ca-dbdir-pemfile.patch
|
||||||
|
|
||||||
# Fedora specific patches
|
# Fedora specific patches
|
||||||
Patch100: openldap-fedora-systemd.patch
|
Patch100: openldap-fedora-systemd.patch
|
||||||
@ -145,6 +146,7 @@ pushd openldap-%{version}
|
|||||||
%patch8 -p1
|
%patch8 -p1
|
||||||
%patch9 -p1
|
%patch9 -p1
|
||||||
%patch10 -p1
|
%patch10 -p1
|
||||||
|
%patch11 -p1
|
||||||
|
|
||||||
%patch100 -p1
|
%patch100 -p1
|
||||||
|
|
||||||
@ -658,6 +660,7 @@ exit 0
|
|||||||
%changelog
|
%changelog
|
||||||
* Fri May 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-2
|
* Fri May 18 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-2
|
||||||
- fix: nss-tools package is required by the base package, not the server subpackage
|
- fix: nss-tools package is required by the base package, not the server subpackage
|
||||||
|
- fix: MozNSS CA certdir does not work together with PEM CA cert file (#819536)
|
||||||
|
|
||||||
* Tue Apr 24 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-1
|
* Tue Apr 24 2012 Jan Vcelak <jvcelak@redhat.com> 2.4.31-1
|
||||||
- new upstream release
|
- new upstream release
|
||||||
|
Loading…
Reference in New Issue
Block a user