import openldap-2.4.46-10.el8
This commit is contained in:
CentOS Sources
Stepan Oksanichenko
parent
9f32393ce8
commit
c514fb88ce
29
SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch
Normal file
29
SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch
Normal file
@ -0,0 +1,29 @@
|
||||
Do not check CN when checking SAN failed
|
||||
|
||||
This is to make it compliant with RFC 6125:
|
||||
https://tools.ietf.org/html/rfc6125#section-6.4.4
|
||||
|
||||
Author: Matus Honek <mhonek@redhat.com>
|
||||
|
||||
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
|
||||
index 92c708be0..46b48a3fb 100644
|
||||
--- a/libraries/libldap/tls_o.c
|
||||
+++ b/libraries/libldap/tls_o.c
|
||||
@@ -675,11 +675,16 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
|
||||
GENERAL_NAMES_free(alt);
|
||||
if (i < n) { /* Found a match */
|
||||
ret = LDAP_SUCCESS;
|
||||
+ } else { /* None matched */
|
||||
+ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match any "
|
||||
+ "SAN in certificate.\n",
|
||||
+ name, NULL, NULL );
|
||||
+ ret = LDAP_CONNECT_ERROR;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
- if (ret != LDAP_SUCCESS) {
|
||||
+ if (ret == LDAP_LOCAL_ERROR) {
|
||||
X509_NAME *xn;
|
||||
X509_NAME_ENTRY *ne;
|
||||
ASN1_OBJECT *obj;
|
||||
@ -5,7 +5,7 @@
|
||||
|
||||
Name: openldap
|
||||
Version: 2.4.46
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
Summary: LDAP support libraries
|
||||
License: OpenLDAP
|
||||
URL: http://www.openldap.org/
|
||||
@ -37,6 +37,7 @@ Patch20: openldap-ldapi-sasl.patch
|
||||
Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch
|
||||
Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch
|
||||
Patch24: openldap-openssl-manpage-defaultCA.patch
|
||||
Patch25: openldap-tlso-dont-check-cn-when-bad-san.patch
|
||||
|
||||
# check-password module specific patches
|
||||
Patch90: check-password-makefile.patch
|
||||
@ -116,6 +117,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
%patch25 -p1
|
||||
|
||||
# build smbk5pwd with other overlays
|
||||
ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays
|
||||
@ -485,6 +487,9 @@ exit 0
|
||||
%{_mandir}/man3/*
|
||||
|
||||
%changelog
|
||||
* Sun Aug 18 2019 Matus Honek <mhonek@redhat.com> - 2.4.46-10
|
||||
- Do not fallback to checking CN when no SAN matched (#1740070)
|
||||
|
||||
* Mon Dec 17 2018 Matus Honek <mhonek@redhat.com> - 2.4.46-9
|
||||
- Reference default system-wide CA certificates in manpages (#1611624)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user