From 865ea6289877f59909def7c3cea893ec48cb6830 Mon Sep 17 00:00:00 2001 From: Jan Vcelak Date: Mon, 27 Jun 2011 15:05:53 +0200 Subject: [PATCH] fix: connection failure if TLS_CACERTDIR doesn't exist but TLS_REQCERT is set to 'never' Resolves: #716854 --- openldap-nss-cacertdir-soft-error.patch | 68 +++++++++++++++++++++++++ openldap.spec | 4 ++ 2 files changed, 72 insertions(+) create mode 100644 openldap-nss-cacertdir-soft-error.patch diff --git a/openldap-nss-cacertdir-soft-error.patch b/openldap-nss-cacertdir-soft-error.patch new file mode 100644 index 0000000..3da419a --- /dev/null +++ b/openldap-nss-cacertdir-soft-error.patch @@ -0,0 +1,68 @@ +Connection fails if TLS_CACERTDIR doesn't exist but TLS_REQCERT is set to 'never' + +Resolves: #716854 +Author: Rich Megginson +Upstream: ITS #6975, git 7e528ae + +diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c +index 911885d..7be703b 100644 +--- a/libraries/libldap/tls_m.c ++++ b/libraries/libldap/tls_m.c +@@ -1320,7 +1320,7 @@ static int + tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir ) + { + PRBool isca = PR_TRUE; +- PRStatus status = PR_FAILURE; ++ PRStatus status = PR_SUCCESS; + PRErrorCode errcode = PR_SUCCESS; + + if ( !cacertfile && !cacertdir ) { +@@ -1336,14 +1336,24 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir + "TLS: %s is not a valid CA certificate file - error %d:%s.\n", + cacertfile, errcode, + PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); ++ /* failure with cacertfile is a hard failure even if cacertdir is ++ also specified and contains valid CA cert files */ ++ status = PR_FAILURE; + } else { + Debug( LDAP_DEBUG_TRACE, + "TLS: loaded CA certificate file %s.\n", + cacertfile, 0, 0 ); +- status = PR_SUCCESS; /* have at least one good CA - we can proceed */ + } + } + ++ /* if cacertfile above failed, we will return failure, even ++ if there is a valid CA cert in cacertdir - but we still ++ process cacertdir in case the user has enabled trace level ++ debugging so they can see the processing for cacertdir too */ ++ /* any cacertdir failures are "soft" failures - if the user specifies ++ no cert checking, then we allow the tls/ssl to continue, no matter ++ what was specified for cacertdir, or the contents of the directory ++ - this is different behavior than that of cacertfile */ + if ( cacertdir ) { + PRFileInfo fi; + PRDir *dir; +@@ -1397,7 +1407,6 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir + Debug( LDAP_DEBUG_TRACE, + "TLS: loaded CA certificate file %s from CA certificate directory %s.\n", + fullpath, cacertdir, 0 ); +- status = PR_SUCCESS; /* found at least 1 valid CA file in the dir */ + } else { + errcode = PR_GetError(); + Debug( LDAP_DEBUG_TRACE, +@@ -1412,14 +1421,6 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir + } + done: + if ( status != PR_SUCCESS ) { +- const char *fmtstr = NULL; +- if ( cacertfile && cacertdir ) { +- fmtstr = "TLS: did not find any valid CA certificates in %s or %s\n"; +- } else { +- fmtstr = "TLS: did not find any valid CA certificates in %s%s\n"; +- } +- Debug( LDAP_DEBUG_ANY, fmtstr, cacertdir ? cacertdir : "", +- cacertfile ? cacertfile : "", 0 ); + return -1; + } + diff --git a/openldap.spec b/openldap.spec index bd37689..c2113eb 100644 --- a/openldap.spec +++ b/openldap.spec @@ -28,6 +28,7 @@ Patch5: openldap-smbk5pwd-overlay.patch Patch6: openldap-ldaprc-currentdir.patch Patch7: openldap-userconfig-setgid.patch Patch8: openldap-nss-nofork.patch +Patch9: openldap-nss-cacertdir-soft-error.patch # patches for the evolution library (see README.evolution) Patch200: openldap-evolution-ntlm.patch @@ -128,6 +129,7 @@ pushd openldap-%{version} %patch6 -p1 -b .ldaprc-currentdir %patch7 -p1 -b .userconfig-setgid %patch8 -p1 -b .nss-nofork +%patch9 -p1 -b .nss-cacertdir-soft-error cp %{_datadir}/libtool/config/config.{sub,guess} build/ @@ -656,6 +658,8 @@ exit 0 - enable ldapi:/// interface by default - set cn=config management ACLs for root user, SASL external schema (#712495) - fix: server scriptlets require initscripts package (#716857) +- fix: connection fails if TLS_CACERTDIR doesn't exist but TLS_REQCERT + is set to 'never' (#716854) * Fri Mar 18 2011 Jan Vcelak 2.4.24-2 - new: system resource limiting for slapd using ulimit