Accepting request 439540 from network:ldap

- Introduce patch 0012-use-system-wide-cert-dir-by-default.patch
  to let OpenLDAP read system wide certificate directory by
  default and avoid hiding the error if user specified CA location
  cannot be read (bsc#1009470).

OBS-URL: https://build.opensuse.org/request/show/439540
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=122
This commit is contained in:
Dominique Leuenberger 2016-11-13 21:49:57 +00:00 committed by Git OBS Bridge
commit 712d0ccde5
3 changed files with 43 additions and 0 deletions

View File

@ -0,0 +1,33 @@
The TLS configuration deliberately hid the error in case that user specified CA locations
cannot be read, by loading CAs from default locations; and when user does not specify CA
locations, the CAs from default locations are not read at all.
This patch corrects the behaviour so that CAs from default location are used if user does
not specify a CA location, and user is informed of the error if CAs cannot be loaded from
the user specified location.
Howard Guo <hguo@suse.com> 2016-11-10
diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c
--- openldap-2.4.41/libraries/libldap/tls_o.c 2015-06-21 02:19:58.000000000 +0200
+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c 2016-11-10 15:10:32.784147041 +0100
@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s
return -1;
}
- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
+ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
+ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: "
+ "could not use default certificate paths", 0, 0, 0 );
+ tlso_report_error();
+ return -1;
+ }
+ } else {
if ( !SSL_CTX_load_verify_locations( ctx,
- lt->lt_cacertfile, lt->lt_cacertdir ) ||
- !SSL_CTX_set_default_verify_paths( ctx ) )
+ lt->lt_cacertfile, lt->lt_cacertdir ) )
{
Debug( LDAP_DEBUG_ANY, "TLS: "
"could not load verify locations (file:`%s',dir:`%s').\n",

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Thu Nov 10 12:55:26 UTC 2016 - hguo@suse.com
- Introduce patch 0012-use-system-wide-cert-dir-by-default.patch
to let OpenLDAP read system wide certificate directory by
default and avoid hiding the error if user specified CA location
cannot be read (bsc#1009470).
-------------------------------------------------------------------
Fri Oct 14 13:15:23 UTC 2016 - hguo@suse.com

View File

@ -58,6 +58,7 @@ Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch
Patch11: 0011-openldap-re24-its7796.patch
Patch12: 0012-use-system-wide-cert-dir-by-default.patch
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
Source201: %{name_ppolicy_check_module}.Makefile
Source202: %{name_ppolicy_check_module}.conf
@ -251,6 +252,7 @@ gzip -k %{S:203}
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
cp %{SOURCE5} .
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/