[openldap/f15] fix: connection failure if TLS_CACERTDIR doesn't exist but TLS_REQCERT is set to 'never'
jvcelak
jvcelak at fedoraproject.org
Tue Jun 28 09:27:22 UTC 2011
commit 73ccb0217a410e43f3e8093a3127cff6a18425be
Author: Jan Vcelak <jvcelak at redhat.com>
Date: Mon Jun 27 15:05:53 2011 +0200
fix: connection failure if TLS_CACERTDIR doesn't exist but TLS_REQCERT is set to 'never'
Resolves: #716854
openldap-nss-cacertdir-soft-error.patch | 68 +++++++++++++++++++++++++++++++
openldap.spec | 2 +
2 files changed, 70 insertions(+), 0 deletions(-)
---
diff --git a/openldap-nss-cacertdir-soft-error.patch b/openldap-nss-cacertdir-soft-error.patch
new file mode 100644
index 0000000..3da419a
--- /dev/null
+++ b/openldap-nss-cacertdir-soft-error.patch
@@ -0,0 +1,68 @@
+Connection fails if TLS_CACERTDIR doesn't exist but TLS_REQCERT is set to 'never'
+
+Resolves: #716854
+Author: Rich Megginson <rmeggins at redhat.com>
+Upstream: ITS #6975, git 7e528ae
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 911885d..7be703b 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -1320,7 +1320,7 @@ static int
+ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir )
+ {
+ PRBool isca = PR_TRUE;
+- PRStatus status = PR_FAILURE;
++ PRStatus status = PR_SUCCESS;
+ PRErrorCode errcode = PR_SUCCESS;
+
+ if ( !cacertfile && !cacertdir ) {
+@@ -1336,14 +1336,24 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
+ "TLS: %s is not a valid CA certificate file - error %d:%s.\n",
+ cacertfile, errcode,
+ PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
++ /* failure with cacertfile is a hard failure even if cacertdir is
++ also specified and contains valid CA cert files */
++ status = PR_FAILURE;
+ } else {
+ Debug( LDAP_DEBUG_TRACE,
+ "TLS: loaded CA certificate file %s.\n",
+ cacertfile, 0, 0 );
+- status = PR_SUCCESS; /* have at least one good CA - we can proceed */
+ }
+ }
+
++ /* if cacertfile above failed, we will return failure, even
++ if there is a valid CA cert in cacertdir - but we still
++ process cacertdir in case the user has enabled trace level
++ debugging so they can see the processing for cacertdir too */
++ /* any cacertdir failures are "soft" failures - if the user specifies
++ no cert checking, then we allow the tls/ssl to continue, no matter
++ what was specified for cacertdir, or the contents of the directory
++ - this is different behavior than that of cacertfile */
+ if ( cacertdir ) {
+ PRFileInfo fi;
+ PRDir *dir;
+@@ -1397,7 +1407,6 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
+ Debug( LDAP_DEBUG_TRACE,
+ "TLS: loaded CA certificate file %s from CA certificate directory %s.\n",
+ fullpath, cacertdir, 0 );
+- status = PR_SUCCESS; /* found at least 1 valid CA file in the dir */
+ } else {
+ errcode = PR_GetError();
+ Debug( LDAP_DEBUG_TRACE,
+@@ -1412,14 +1421,6 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
+ }
+ done:
+ if ( status != PR_SUCCESS ) {
+- const char *fmtstr = NULL;
+- if ( cacertfile && cacertdir ) {
+- fmtstr = "TLS: did not find any valid CA certificates in %s or %s\n";
+- } else {
+- fmtstr = "TLS: did not find any valid CA certificates in %s%s\n";
+- }
+- Debug( LDAP_DEBUG_ANY, fmtstr, cacertdir ? cacertdir : "",
+- cacertfile ? cacertfile : "", 0 );
+ return -1;
+ }
+
diff --git a/openldap.spec b/openldap.spec
index e86276a..6d45cf8 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -31,6 +31,7 @@ Patch8: openldap-userconfig-setgid.patch
Patch9: openldap-nss-nofork.patch
Patch10: openldap-nss-null-pointer.patch
Patch11: openldap-slapadd-hang.patch
+Patch12: openldap-nss-cacertdir-soft-error.patch
# patches for the evolution library (see README.evolution)
Patch200: openldap-evolution-ntlm.patch
@@ -134,6 +135,7 @@ pushd openldap-%{version}
%patch9 -p1 -b .nss-nofork
%patch10 -p1 -b .nss-null-pointer
%patch11 -p1 -b .slapadd-hang
+%patch12 -p1 -b .nss-cacertdir-soft-error
cp %{_datadir}/libtool/config/config.{sub,guess} build/
More information about the scm-commits
mailing list