forked from pool/openldap2
20d52f9a9c
to let OpenLDAP read system wide certificate directory by default and avoid hiding the error if user specified CA location cannot be read (bsc#1009470). OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=168
34 lines
1.5 KiB
Diff
34 lines
1.5 KiB
Diff
The TLS configuration deliberately hid the error in case that user specified CA locations
|
|
cannot be read, by loading CAs from default locations; and when user does not specify CA
|
|
locations, the CAs from default locations are not read at all.
|
|
|
|
This patch corrects the behaviour so that CAs from default location are used if user does
|
|
not specify a CA location, and user is informed of the error if CAs cannot be loaded from
|
|
the user specified location.
|
|
|
|
Howard Guo <hguo@suse.com> 2016-11-10
|
|
|
|
diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c
|
|
--- openldap-2.4.41/libraries/libldap/tls_o.c 2015-06-21 02:19:58.000000000 +0200
|
|
+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c 2016-11-10 15:10:32.784147041 +0100
|
|
@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s
|
|
return -1;
|
|
}
|
|
|
|
- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
|
|
+ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
|
|
+ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
|
|
+ Debug( LDAP_DEBUG_ANY, "TLS: "
|
|
+ "could not use default certificate paths", 0, 0, 0 );
|
|
+ tlso_report_error();
|
|
+ return -1;
|
|
+ }
|
|
+ } else {
|
|
if ( !SSL_CTX_load_verify_locations( ctx,
|
|
- lt->lt_cacertfile, lt->lt_cacertdir ) ||
|
|
- !SSL_CTX_set_default_verify_paths( ctx ) )
|
|
+ lt->lt_cacertfile, lt->lt_cacertdir ) )
|
|
{
|
|
Debug( LDAP_DEBUG_ANY, "TLS: "
|
|
"could not load verify locations (file:`%s',dir:`%s').\n",
|