1
0
forked from pool/openldap2
openldap2/0012-use-system-wide-cert-dir-by-default.patch
Howard Guo 20d52f9a9c - Introduce patch 0012-use-system-wide-cert-dir-by-default.patch
to let OpenLDAP read system wide certificate directory by
  default and avoid hiding the error if user specified CA location
  cannot be read (bsc#1009470).

OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=168
2016-11-10 14:56:16 +00:00

34 lines
1.5 KiB
Diff

The TLS configuration deliberately hid the error in case that user specified CA locations
cannot be read, by loading CAs from default locations; and when user does not specify CA
locations, the CAs from default locations are not read at all.
This patch corrects the behaviour so that CAs from default location are used if user does
not specify a CA location, and user is informed of the error if CAs cannot be loaded from
the user specified location.
Howard Guo <hguo@suse.com> 2016-11-10
diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c
--- openldap-2.4.41/libraries/libldap/tls_o.c 2015-06-21 02:19:58.000000000 +0200
+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c 2016-11-10 15:10:32.784147041 +0100
@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s
return -1;
}
- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
+ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
+ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: "
+ "could not use default certificate paths", 0, 0, 0 );
+ tlso_report_error();
+ return -1;
+ }
+ } else {
if ( !SSL_CTX_load_verify_locations( ctx,
- lt->lt_cacertfile, lt->lt_cacertdir ) ||
- !SSL_CTX_set_default_verify_paths( ctx ) )
+ lt->lt_cacertfile, lt->lt_cacertdir ) )
{
Debug( LDAP_DEBUG_ANY, "TLS: "
"could not load verify locations (file:`%s',dir:`%s').\n",