fix: connection failure if TLS_CACERTDIR doesn't exist but TLS_REQCERT is set to 'never'
Resolves: #716854
This commit is contained in:
parent
cea83df834
commit
865ea62898
68
openldap-nss-cacertdir-soft-error.patch
Normal file
68
openldap-nss-cacertdir-soft-error.patch
Normal file
@ -0,0 +1,68 @@
|
||||
Connection fails if TLS_CACERTDIR doesn't exist but TLS_REQCERT is set to 'never'
|
||||
|
||||
Resolves: #716854
|
||||
Author: Rich Megginson <rmeggins@redhat.com>
|
||||
Upstream: ITS #6975, git 7e528ae
|
||||
|
||||
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
||||
index 911885d..7be703b 100644
|
||||
--- a/libraries/libldap/tls_m.c
|
||||
+++ b/libraries/libldap/tls_m.c
|
||||
@@ -1320,7 +1320,7 @@ static int
|
||||
tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir )
|
||||
{
|
||||
PRBool isca = PR_TRUE;
|
||||
- PRStatus status = PR_FAILURE;
|
||||
+ PRStatus status = PR_SUCCESS;
|
||||
PRErrorCode errcode = PR_SUCCESS;
|
||||
|
||||
if ( !cacertfile && !cacertdir ) {
|
||||
@@ -1336,14 +1336,24 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
|
||||
"TLS: %s is not a valid CA certificate file - error %d:%s.\n",
|
||||
cacertfile, errcode,
|
||||
PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
||||
+ /* failure with cacertfile is a hard failure even if cacertdir is
|
||||
+ also specified and contains valid CA cert files */
|
||||
+ status = PR_FAILURE;
|
||||
} else {
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"TLS: loaded CA certificate file %s.\n",
|
||||
cacertfile, 0, 0 );
|
||||
- status = PR_SUCCESS; /* have at least one good CA - we can proceed */
|
||||
}
|
||||
}
|
||||
|
||||
+ /* if cacertfile above failed, we will return failure, even
|
||||
+ if there is a valid CA cert in cacertdir - but we still
|
||||
+ process cacertdir in case the user has enabled trace level
|
||||
+ debugging so they can see the processing for cacertdir too */
|
||||
+ /* any cacertdir failures are "soft" failures - if the user specifies
|
||||
+ no cert checking, then we allow the tls/ssl to continue, no matter
|
||||
+ what was specified for cacertdir, or the contents of the directory
|
||||
+ - this is different behavior than that of cacertfile */
|
||||
if ( cacertdir ) {
|
||||
PRFileInfo fi;
|
||||
PRDir *dir;
|
||||
@@ -1397,7 +1407,6 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
"TLS: loaded CA certificate file %s from CA certificate directory %s.\n",
|
||||
fullpath, cacertdir, 0 );
|
||||
- status = PR_SUCCESS; /* found at least 1 valid CA file in the dir */
|
||||
} else {
|
||||
errcode = PR_GetError();
|
||||
Debug( LDAP_DEBUG_TRACE,
|
||||
@@ -1412,14 +1421,6 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
|
||||
}
|
||||
done:
|
||||
if ( status != PR_SUCCESS ) {
|
||||
- const char *fmtstr = NULL;
|
||||
- if ( cacertfile && cacertdir ) {
|
||||
- fmtstr = "TLS: did not find any valid CA certificates in %s or %s\n";
|
||||
- } else {
|
||||
- fmtstr = "TLS: did not find any valid CA certificates in %s%s\n";
|
||||
- }
|
||||
- Debug( LDAP_DEBUG_ANY, fmtstr, cacertdir ? cacertdir : "",
|
||||
- cacertfile ? cacertfile : "", 0 );
|
||||
return -1;
|
||||
}
|
||||
|
@ -28,6 +28,7 @@ Patch5: openldap-smbk5pwd-overlay.patch
|
||||
Patch6: openldap-ldaprc-currentdir.patch
|
||||
Patch7: openldap-userconfig-setgid.patch
|
||||
Patch8: openldap-nss-nofork.patch
|
||||
Patch9: openldap-nss-cacertdir-soft-error.patch
|
||||
|
||||
# patches for the evolution library (see README.evolution)
|
||||
Patch200: openldap-evolution-ntlm.patch
|
||||
@ -128,6 +129,7 @@ pushd openldap-%{version}
|
||||
%patch6 -p1 -b .ldaprc-currentdir
|
||||
%patch7 -p1 -b .userconfig-setgid
|
||||
%patch8 -p1 -b .nss-nofork
|
||||
%patch9 -p1 -b .nss-cacertdir-soft-error
|
||||
|
||||
cp %{_datadir}/libtool/config/config.{sub,guess} build/
|
||||
|
||||
@ -656,6 +658,8 @@ exit 0
|
||||
- enable ldapi:/// interface by default
|
||||
- set cn=config management ACLs for root user, SASL external schema (#712495)
|
||||
- fix: server scriptlets require initscripts package (#716857)
|
||||
- fix: connection fails if TLS_CACERTDIR doesn't exist but TLS_REQCERT
|
||||
is set to 'never' (#716854)
|
||||
|
||||
* Fri Mar 18 2011 Jan Vcelak <jvcelak@redhat.com> 2.4.24-2
|
||||
- new: system resource limiting for slapd using ulimit
|
||||
|
Loading…
Reference in New Issue
Block a user