forked from pool/openldap2
- Introduce patch 0012-use-system-wide-cert-dir-by-default.patch
to let OpenLDAP read system wide certificate directory by default and avoid hiding the error if user specified CA location cannot be read (bsc#1009470). OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=168
This commit is contained in:
parent
1efa980544
commit
20d52f9a9c
33
0012-use-system-wide-cert-dir-by-default.patch
Normal file
33
0012-use-system-wide-cert-dir-by-default.patch
Normal file
@ -0,0 +1,33 @@
|
||||
The TLS configuration deliberately hid the error in case that user specified CA locations
|
||||
cannot be read, by loading CAs from default locations; and when user does not specify CA
|
||||
locations, the CAs from default locations are not read at all.
|
||||
|
||||
This patch corrects the behaviour so that CAs from default location are used if user does
|
||||
not specify a CA location, and user is informed of the error if CAs cannot be loaded from
|
||||
the user specified location.
|
||||
|
||||
Howard Guo <hguo@suse.com> 2016-11-10
|
||||
|
||||
diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c
|
||||
--- openldap-2.4.41/libraries/libldap/tls_o.c 2015-06-21 02:19:58.000000000 +0200
|
||||
+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c 2016-11-10 15:10:32.784147041 +0100
|
||||
@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s
|
||||
return -1;
|
||||
}
|
||||
|
||||
- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
|
||||
+ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
|
||||
+ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
|
||||
+ Debug( LDAP_DEBUG_ANY, "TLS: "
|
||||
+ "could not use default certificate paths", 0, 0, 0 );
|
||||
+ tlso_report_error();
|
||||
+ return -1;
|
||||
+ }
|
||||
+ } else {
|
||||
if ( !SSL_CTX_load_verify_locations( ctx,
|
||||
- lt->lt_cacertfile, lt->lt_cacertdir ) ||
|
||||
- !SSL_CTX_set_default_verify_paths( ctx ) )
|
||||
+ lt->lt_cacertfile, lt->lt_cacertdir ) )
|
||||
{
|
||||
Debug( LDAP_DEBUG_ANY, "TLS: "
|
||||
"could not load verify locations (file:`%s',dir:`%s').\n",
|
@ -1,3 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Nov 10 12:55:26 UTC 2016 - hguo@suse.com
|
||||
|
||||
- Introduce patch 0012-use-system-wide-cert-dir-by-default.patch
|
||||
to let OpenLDAP read system wide certificate directory by
|
||||
default and avoid hiding the error if user specified CA location
|
||||
cannot be read (bsc#1009470).
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Oct 14 13:15:23 UTC 2016 - hguo@suse.com
|
||||
|
||||
|
@ -58,6 +58,7 @@ Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch
|
||||
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
|
||||
Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch
|
||||
Patch11: 0011-openldap-re24-its7796.patch
|
||||
Patch12: 0012-use-system-wide-cert-dir-by-default.patch
|
||||
Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
|
||||
Source201: %{name_ppolicy_check_module}.Makefile
|
||||
Source202: %{name_ppolicy_check_module}.conf
|
||||
@ -251,6 +252,7 @@ gzip -k %{S:203}
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch12 -p1
|
||||
cp %{SOURCE5} .
|
||||
|
||||
# Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/
|
||||
|
Loading…
Reference in New Issue
Block a user