[openldap] fix: slapd refuses to set up TLS with self-signed PEM certificate
jvcelak
jvcelak at fedoraproject.org
Sat Jul 21 16:06:56 UTC 2012
commit 2d64625e781ddf997a452cf89007aef2fbf85bd8
Author: Jan Vcelak <jvcelak at redhat.com>
Date: Sat Jul 21 16:41:48 2012 +0200
fix: slapd refuses to set up TLS with self-signed PEM certificate
Resolves: #842022
...p-nss-ignore-untrusted-issuer-server-cert.patch | 99 ++++++++++++++++++++
openldap.spec | 7 +-
2 files changed, 105 insertions(+), 1 deletions(-)
---
diff --git a/openldap-nss-ignore-untrusted-issuer-server-cert.patch b/openldap-nss-ignore-untrusted-issuer-server-cert.patch
new file mode 100644
index 0000000..2f5442e
--- /dev/null
+++ b/openldap-nss-ignore-untrusted-issuer-server-cert.patch
@@ -0,0 +1,99 @@
+MozNSS: ignore untrusted issuer error when veryfing server cert
+
+(Untrusted issuer error can apper with self-signed PEM certificates.)
+
+Author: Jan Vcelak <jvcelak at redhat.com>
+Resolves: #842022
+Upstream ITS: #7331
+
+---
+ libraries/libldap/tls_m.c | 26 ++++++++++----------------
+ 1 file changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 4b5727b..f37da06 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -992,14 +992,15 @@ tlsm_cert_is_self_issued( CERTCertificate *cert )
+
+ static SECStatus
+ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
+- PRBool checksig, SECCertificateUsage certUsage, int errorToIgnore )
++ PRBool checksig, SECCertificateUsage certUsage, PRBool warn_only,
++ PRBool ignore_issuer )
+ {
+ CERTVerifyLog verifylog;
+ SECStatus ret = SECSuccess;
+ const char *name;
+ int debug_level = LDAP_DEBUG_ANY;
+
+- if ( errorToIgnore == -1 ) {
++ if ( warn_only ) {
+ debug_level = LDAP_DEBUG_TRACE;
+ }
+
+@@ -1063,7 +1064,11 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
+
+ PR_SetError(orig_error, orig_oserror);
+
+- } else if ( errorToIgnore && ( node->error == errorToIgnore ) ) {
++ } else if ( warn_only || ( ignore_issuer && (
++ node->error == SEC_ERROR_UNKNOWN_ISSUER ||
++ node->error == SEC_ERROR_UNTRUSTED_ISSUER )
++ ) ) {
++ ret = SECSuccess;
+ Debug( debug_level,
+ "TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n",
+ name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) );
+@@ -1084,8 +1089,6 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
+ if ( ret == SECSuccess ) {
+ Debug( LDAP_DEBUG_TRACE,
+ "TLS: certificate [%s] is valid\n", name, 0, 0 );
+- } else if ( errorToIgnore == -1 ) {
+- ret = SECSuccess;
+ }
+
+ return ret;
+@@ -1098,15 +1101,11 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd,
+ SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
+ SECStatus ret = SECSuccess;
+ CERTCertificate *peercert = SSL_PeerCertificate( fd );
+- int errorToIgnore = 0;
+ tlsm_ctx *ctx = (tlsm_ctx *)arg;
+
+- if (ctx && ctx->tc_warn_only )
+- errorToIgnore = -1;
+-
+ ret = tlsm_verify_cert( ctx->tc_certdb, peercert,
+ SSL_RevealPinArg( fd ),
+- checksig, certUsage, errorToIgnore );
++ checksig, certUsage, ctx->tc_warn_only, PR_FALSE );
+ CERT_DestroyCertificate( peercert );
+
+ return ret;
+@@ -1815,7 +1814,6 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx)
+ SECCertificateUsage certUsage;
+ PRBool checkSig;
+ SECStatus status;
+- int errorToIgnore;
+ void *pin_arg;
+
+ if (tlsm_ctx_load_private_key(ctx))
+@@ -1824,13 +1822,9 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx)
+ pin_arg = SSL_RevealPinArg(ctx->tc_model);
+ certUsage = ctx->tc_is_server ? certificateUsageSSLServer : certificateUsageSSLClient;
+ checkSig = ctx->tc_verify_cert ? PR_TRUE : PR_FALSE;
+- if ( ctx->tc_warn_only )
+- errorToIgnore = -1;
+- else
+- errorToIgnore = SEC_ERROR_UNKNOWN_ISSUER; /* may not have a CA cert */
+
+ status = tlsm_verify_cert( ctx->tc_certdb, ctx->tc_certificate, pin_arg,
+- checkSig, certUsage, errorToIgnore );
++ checkSig, certUsage, ctx->tc_warn_only, PR_TRUE );
+
+ return status == SECSuccess ? 0 : -1;
+ }
+--
+1.7.11.2
+
diff --git a/openldap.spec b/openldap.spec
index e8351ac..9b112f7 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -8,7 +8,7 @@
Name: openldap
Version: 2.4.31
-Release: 6%{?dist}
+Release: 7%{?dist}
Summary: LDAP support libraries
Group: System Environment/Daemons
License: OpenLDAP
@@ -47,6 +47,7 @@ Patch15: openldap-cve-nss-cipher-suite-ignored.patch
Patch16: openldap-nss-default-cipher-suite-always-selected.patch
Patch17: openldap-nss-multiple-tls-contexts.patch
Patch18: openldap-ai-addrconfig.patch
+Patch19: openldap-nss-ignore-untrusted-issuer-server-cert.patch
# Fedora specific patches
Patch100: openldap-autoconf-pkgconfig-nss.patch
@@ -167,6 +168,7 @@ ln -s %{_includedir}/nspr4 include/nspr
%patch16 -p1
%patch17 -p1
%patch18 -p1
+%patch19 -p1
%patch101 -p1
@@ -624,6 +626,9 @@ exit 0
%{evolution_connector_prefix}/
%changelog
+* Sat Jul 21 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.31-7
+- fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022)
+
* Fri Jul 20 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.31-6
- multilib fix: move libslapi from openldap-servers to openldap package
More information about the scm-commits
mailing list