6468aa6a54
Mozilla NSS - support use of self signed CA certs as server certs (#614545)
52 lines
2.1 KiB
Diff
52 lines
2.1 KiB
Diff
#614545 Mozilla NSS - support use of self signed CA certs as server certs
|
|
upstream: http://www.openldap.org/its/index.cgi issue 6589
|
|
|
|
diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
|
|
--- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-04-15 23:26:00.000000000 +0200
|
|
+++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200
|
|
@@ -1491,11 +1491,40 @@
|
|
status = CERT_VerifyCertificateNow( ctx->tc_certdb, cert,
|
|
checkSig, certUsage,
|
|
pin_arg, NULL );
|
|
- if (status != SECSuccess) {
|
|
+ if ( status != SECSuccess ) {
|
|
+ /* NSS doesn't like self-signed CA certs that are also used for
|
|
+ TLS/SSL server certs (such as generated by openssl req -x509)
|
|
+ CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case
|
|
+ so, see if the cert and issuer are the same cert
|
|
+ */
|
|
PRErrorCode errcode = PR_GetError();
|
|
- Debug( LDAP_DEBUG_ANY,
|
|
- "TLS: error: the certificate %s is not valid - error %d:%s\n",
|
|
- certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
|
+
|
|
+ if ( errcode == SEC_ERROR_UNTRUSTED_ISSUER ) {
|
|
+ CERTCertificate *issuer = CERT_FindCertIssuer( cert, PR_Now(), certUsageSSLServer );
|
|
+ if ( NULL == issuer ) {
|
|
+ /* no issuer - warn and allow */
|
|
+ status = SECSuccess;
|
|
+ rc = 0;
|
|
+ Debug( LDAP_DEBUG_ANY,
|
|
+ "TLS: warning: the server certificate %s has no issuer - "
|
|
+ "please check this certificate for validity\n",
|
|
+ certname, 0, 0 );
|
|
+ } else if ( CERT_CompareCerts( cert, issuer ) ) {
|
|
+ /* self signed - warn and allow */
|
|
+ status = SECSuccess;
|
|
+ rc = 0;
|
|
+ Debug( LDAP_DEBUG_ANY,
|
|
+ "TLS: warning: using self-signed server certificate %s\n",
|
|
+ certname, 0, 0 );
|
|
+ }
|
|
+ CERT_DestroyCertificate( issuer );
|
|
+ }
|
|
+
|
|
+ if ( status != SECSuccess ) {
|
|
+ Debug( LDAP_DEBUG_ANY,
|
|
+ "TLS: error: the certificate %s is not valid - error %d:%s\n",
|
|
+ certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
|
|
+ }
|
|
} else {
|
|
rc = 0; /* success */
|
|
}
|