[openldap] fix: slapd refuses to set up TLS with self-signed PEM certificate

jvcelak jvcelak at fedoraproject.org
Sat Jul 21 16:06:56 UTC 2012 

commit 2d64625e781ddf997a452cf89007aef2fbf85bd8
Author: Jan Vcelak <jvcelak at redhat.com>
Date:   Sat Jul 21 16:41:48 2012 +0200

    fix: slapd refuses to set up TLS with self-signed PEM certificate
    
    Resolves: #842022

 ...p-nss-ignore-untrusted-issuer-server-cert.patch |   99 ++++++++++++++++++++
 openldap.spec                                      |    7 +-
 2 files changed, 105 insertions(+), 1 deletions(-)
---
diff --git a/openldap-nss-ignore-untrusted-issuer-server-cert.patch b/openldap-nss-ignore-untrusted-issuer-server-cert.patch
new file mode 100644
index 0000000..2f5442e
--- /dev/null
+++ b/openldap-nss-ignore-untrusted-issuer-server-cert.patch
@@ -0,0 +1,99 @@
+MozNSS: ignore untrusted issuer error when veryfing server cert
+
+(Untrusted issuer error can apper with self-signed PEM certificates.)
+
+Author: Jan Vcelak <jvcelak at redhat.com>
+Resolves: #842022
+Upstream ITS: #7331
+
+---
+ libraries/libldap/tls_m.c | 26 ++++++++++----------------
+ 1 file changed, 10 insertions(+), 16 deletions(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index 4b5727b..f37da06 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -992,14 +992,15 @@ tlsm_cert_is_self_issued( CERTCertificate *cert )
+ 
+ static SECStatus
+ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
+-				 PRBool checksig, SECCertificateUsage certUsage, int errorToIgnore )
++				 PRBool checksig, SECCertificateUsage certUsage, PRBool warn_only,
++				 PRBool ignore_issuer )
+ {
+ 	CERTVerifyLog verifylog;
+ 	SECStatus ret = SECSuccess;
+ 	const char *name;
+ 	int debug_level = LDAP_DEBUG_ANY;
+ 
+-	if ( errorToIgnore == -1 ) {
++	if ( warn_only ) {
+ 		debug_level = LDAP_DEBUG_TRACE;
+ 	}
+ 
+@@ -1063,7 +1064,11 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
+ 
+ 					PR_SetError(orig_error, orig_oserror);
+ 
+-				} else if ( errorToIgnore && ( node->error == errorToIgnore ) ) {
++				} else if ( warn_only || ( ignore_issuer && (
++					node->error == SEC_ERROR_UNKNOWN_ISSUER ||
++					node->error == SEC_ERROR_UNTRUSTED_ISSUER )
++				) ) {
++					ret = SECSuccess;
+ 					Debug( debug_level,
+ 						   "TLS: Warning: ignoring error for certificate [%s] - error %ld:%s.\n",
+ 						   name, node->error, PR_ErrorToString( node->error, PR_LANGUAGE_I_DEFAULT ) );
+@@ -1084,8 +1089,6 @@ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
+ 	if ( ret == SECSuccess ) {
+ 		Debug( LDAP_DEBUG_TRACE,
+ 			   "TLS: certificate [%s] is valid\n", name, 0, 0 );
+-	} else if ( errorToIgnore == -1 ) {
+-		ret = SECSuccess;
+ 	}
+ 
+ 	return ret;
+@@ -1098,15 +1101,11 @@ tlsm_auth_cert_handler(void *arg, PRFileDesc *fd,
+ 	SECCertificateUsage certUsage = isServer ? certificateUsageSSLClient : certificateUsageSSLServer;
+ 	SECStatus ret = SECSuccess;
+ 	CERTCertificate *peercert = SSL_PeerCertificate( fd );
+-	int errorToIgnore = 0;
+ 	tlsm_ctx *ctx = (tlsm_ctx *)arg;
+ 
+-	if (ctx && ctx->tc_warn_only )
+-		errorToIgnore = -1;
+-
+ 	ret = tlsm_verify_cert( ctx->tc_certdb, peercert,
+ 							SSL_RevealPinArg( fd ),
+-							checksig, certUsage, errorToIgnore );
++							checksig, certUsage, ctx->tc_warn_only, PR_FALSE );
+ 	CERT_DestroyCertificate( peercert );
+ 
+ 	return ret;
+@@ -1815,7 +1814,6 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx)
+ 	SECCertificateUsage certUsage;
+ 	PRBool checkSig;
+ 	SECStatus status;
+-	int errorToIgnore;
+ 	void *pin_arg;
+ 
+ 	if (tlsm_ctx_load_private_key(ctx))
+@@ -1824,13 +1822,9 @@ tlsm_find_and_verify_cert_key(tlsm_ctx *ctx)
+ 	pin_arg = SSL_RevealPinArg(ctx->tc_model);
+ 	certUsage = ctx->tc_is_server ? certificateUsageSSLServer : certificateUsageSSLClient;
+ 	checkSig = ctx->tc_verify_cert ? PR_TRUE : PR_FALSE;
+-	if ( ctx->tc_warn_only )
+-		errorToIgnore = -1;
+-	else
+-		errorToIgnore = SEC_ERROR_UNKNOWN_ISSUER; /* may not have a CA cert */
+ 
+ 	status = tlsm_verify_cert( ctx->tc_certdb, ctx->tc_certificate, pin_arg,
+-							   checkSig, certUsage, errorToIgnore );
++							   checkSig, certUsage, ctx->tc_warn_only, PR_TRUE );
+ 
+ 	return status == SECSuccess ? 0 : -1;
+ }
+-- 
+1.7.11.2
+
diff --git a/openldap.spec b/openldap.spec
index e8351ac..9b112f7 100644
--- a/openldap.spec
+++ b/openldap.spec
@@ -8,7 +8,7 @@
 
 Name: openldap
 Version: 2.4.31
-Release: 6%{?dist}
+Release: 7%{?dist}
 Summary: LDAP support libraries
 Group: System Environment/Daemons
 License: OpenLDAP
@@ -47,6 +47,7 @@ Patch15: openldap-cve-nss-cipher-suite-ignored.patch
 Patch16: openldap-nss-default-cipher-suite-always-selected.patch
 Patch17: openldap-nss-multiple-tls-contexts.patch
 Patch18: openldap-ai-addrconfig.patch
+Patch19: openldap-nss-ignore-untrusted-issuer-server-cert.patch
 
 # Fedora specific patches
 Patch100: openldap-autoconf-pkgconfig-nss.patch
@@ -167,6 +168,7 @@ ln -s %{_includedir}/nspr4 include/nspr
 %patch16 -p1
 %patch17 -p1
 %patch18 -p1
+%patch19 -p1
 
 %patch101 -p1
 
@@ -624,6 +626,9 @@ exit 0
 %{evolution_connector_prefix}/
 
 %changelog
+* Sat Jul 21 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.31-7
+- fix: slapd refuses to set up TLS with self-signed PEM certificate (#842022)
+
 * Fri Jul 20 2012 Jan Vcelak <jvcelak at redhat.com> 2.4.31-6
 - multilib fix: move libslapi from openldap-servers to openldap package

More information about the scm-commits mailing list