[openldap/f15] fix: TLS_REQCERT=never ignored when the issuer certificate is expired

[jvcelak]

commit c680ce0e4eb4c9c5f655a43df7d8769799e56af4
Author: Jan Vcelak <jvcelak at redhat.com>
Date:   Wed Aug 24 20:18:41 2011 +0200

    fix: TLS_REQCERT=never ignored when the issuer certificate is expired
    
    Resolves: #722961

 openldap-nss-can-ignore-expired-issuer.patch |   23 +++++++++++++++++++++++
 openldap.spec                                |    3 +++
 2 files changed, 26 insertions(+), 0 deletions(-)
---
diff --git a/openldap-nss-can-ignore-expired-issuer.patch b/openldap-nss-can-ignore-expired-issuer.patch
new file mode 100644
index 0000000..587b3b2
--- /dev/null
+++ b/openldap-nss-can-ignore-expired-issuer.patch
@@ -0,0 +1,23 @@
+MozNSS: when cert not required, ignore issuer expiration
+    
+When server certificate is not required in a TLS session (e.g.
+TLS_REQCERT is set to 'never'), ignore expired issuer certificate error
+and do not terminate the connection.
+
+Author: Jan Vcelak <jvcelak at redhat.com>
+Upstream ITS: #6998
+Upstream commit: e8ac17e17c831ed44174a22c1cb2a8dc39fcb976
+Resolves: #722961
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 32af7ec..7ae7d82 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -671,6 +671,7 @@ tlsm_bad_cert_handler(void *arg, PRFileDesc *ssl)
+ 	case SEC_ERROR_UNTRUSTED_ISSUER:
+ 	case SEC_ERROR_UNKNOWN_ISSUER:
+ 	case SEC_ERROR_EXPIRED_CERTIFICATE:
++	case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
+ 		if (ctx->tc_verify_cert) {
+ 			success = SECFailure;
+ 		}
diff --git a/openldap.spec b/openldap.spec
index 8ca3ad8..2299f7f 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -46,6 +46,7 @@ Patch23: openldap-man-slapo-unique.patch
 Patch24: openldap-nss-wildcards.patch
 Patch25: openldap-man-ldap-sync.patch
 Patch26: openldap-sasl-gssapi-options.patch
+Patch27: openldap-nss-can-ignore-expired-issuer.patch
 
 # patches for the evolution library (see README.evolution)
 Patch200: openldap-evolution-ntlm.patch
@@ -164,6 +165,7 @@ pushd openldap-%{version}
 %patch24 -p1 -b .nss-wildcards
 %patch25 -p1 -b .man-ldap-sync
 %patch26 -p1 -b .sasl-gssapi-options
+%patch27 -p1 -b .nss-can-ignore-expired-issuer
 
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 
@@ -716,6 +718,7 @@ exit 0
 - fix: matching wildcard hostnames in certificate Subject field does not work (#733073)
 - manpage fix: wrong ldap_sync_destroy() prototype in ldap_sync(3) manpage (#717722)
 - fix: cannot set SASL or GSSAPI options (#733056)
+- fix: TLS_REQCERT=never ignored when the issuer certificate is expired (#722961)
 
 * Tue Jun 28 2011 Jan Vcelak <jvcelak at redhat.com> 2.4.24-3
 - fix: openldap-servers scriptlets require initscripts package (#716857)