- Introduce patch 0012-use-system-wide-cert-dir-by-default.patch

to let OpenLDAP read system wide certificate directory by default and avoid hiding the error if user specified CA location cannot be read (bsc#1009470). OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=168
2016-11-10 14:56:16 +00:00 · 2016-11-10 14:56:16 +00:00 · 20d52f9a9c
commit 20d52f9a9c
parent 1efa980544
3 changed files with 43 additions and 0 deletions
--- a/0012-use-system-wide-cert-dir-by-default.patch
+++ b/0012-use-system-wide-cert-dir-by-default.patch
@ -0,0 +1,33 @@
+The TLS configuration deliberately hid the error in case that user specified CA locations
+cannot be read, by loading CAs from default locations; and when user does not specify CA
+locations, the CAs from default locations are not read at all.
+
+This patch corrects the behaviour so that CAs from default location are used if user does
+not specify a CA location, and user is informed of the error if CAs cannot be loaded from
+the user specified location.
+
+Howard Guo <hguo@suse.com> 2016-11-10
+
+diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c
+--- openldap-2.4.41/libraries/libldap/tls_o.c	2015-06-21 02:19:58.000000000 +0200
+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c	2016-11-10 15:10:32.784147041 +0100
+@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s
+ 		return -1;
+ 	}
+ 
+-	if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
+	if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
+		if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
+			Debug( LDAP_DEBUG_ANY, "TLS: "
+				"could not use default certificate paths", 0, 0, 0 );
+			tlso_report_error();
+			return -1;
+		}
+	} else {
+ 		if ( !SSL_CTX_load_verify_locations( ctx,
+-				lt->lt_cacertfile, lt->lt_cacertdir ) ||
+-			!SSL_CTX_set_default_verify_paths( ctx ) )
+				lt->lt_cacertfile, lt->lt_cacertdir ) )
+ 		{
+ 			Debug( LDAP_DEBUG_ANY, "TLS: "
+ 				"could not load verify locations (file:`%s',dir:`%s').\n",
--- a/openldap2.changes
+++ b/openldap2.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Nov 10 12:55:26 UTC 2016 - hguo@suse.com
+
+- Introduce patch 0012-use-system-wide-cert-dir-by-default.patch
+  to let OpenLDAP read system wide certificate directory by
+  default and avoid hiding the error if user specified CA location
+  cannot be read (bsc#1009470).
+
 -------------------------------------------------------------------
 Fri Oct 14 13:15:23 UTC 2016 - hguo@suse.com

--- a/openldap2.spec
+++ b/openldap2.spec
@ -58,6 +58,7 @@ Patch8:         0008-In-monitor-backend-do-not-return-Connection0-entries.patch
 Patch9:         0009-Fix-ldap-host-lookup-ipv6.patch
 Patch10:        0010-Enforce-minimum-DH-size-of-1024.patch
 Patch11:        0011-openldap-re24-its7796.patch
+Patch12:        0012-use-system-wide-cert-dir-by-default.patch
 Source200:      %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
 Source201:      %{name_ppolicy_check_module}.Makefile
 Source202:      %{name_ppolicy_check_module}.conf
@ -251,6 +252,7 @@ gzip -k %{S:203}
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 cp %{SOURCE5} .

 # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/