From 20d52f9a9ca4e5801085cc09126605036a7f8eaa644870d1e8b3158a7fda0a99 Mon Sep 17 00:00:00 2001 From: Howard Guo Date: Thu, 10 Nov 2016 14:56:16 +0000 Subject: [PATCH] - Introduce patch 0012-use-system-wide-cert-dir-by-default.patch to let OpenLDAP read system wide certificate directory by default and avoid hiding the error if user specified CA location cannot be read (bsc#1009470). OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=168 --- ...-use-system-wide-cert-dir-by-default.patch | 33 +++++++++++++++++++ openldap2.changes | 8 +++++ openldap2.spec | 2 ++ 3 files changed, 43 insertions(+) create mode 100644 0012-use-system-wide-cert-dir-by-default.patch diff --git a/0012-use-system-wide-cert-dir-by-default.patch b/0012-use-system-wide-cert-dir-by-default.patch new file mode 100644 index 0000000..78e64ee --- /dev/null +++ b/0012-use-system-wide-cert-dir-by-default.patch @@ -0,0 +1,33 @@ +The TLS configuration deliberately hid the error in case that user specified CA locations +cannot be read, by loading CAs from default locations; and when user does not specify CA +locations, the CAs from default locations are not read at all. + +This patch corrects the behaviour so that CAs from default location are used if user does +not specify a CA location, and user is informed of the error if CAs cannot be loaded from +the user specified location. + +Howard Guo 2016-11-10 + +diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c +--- openldap-2.4.41/libraries/libldap/tls_o.c 2015-06-21 02:19:58.000000000 +0200 ++++ openldap-2.4.41-patched/libraries/libldap/tls_o.c 2016-11-10 15:10:32.784147041 +0100 +@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s + return -1; + } + +- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) { ++ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) { ++ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) { ++ Debug( LDAP_DEBUG_ANY, "TLS: " ++ "could not use default certificate paths", 0, 0, 0 ); ++ tlso_report_error(); ++ return -1; ++ } ++ } else { + if ( !SSL_CTX_load_verify_locations( ctx, +- lt->lt_cacertfile, lt->lt_cacertdir ) || +- !SSL_CTX_set_default_verify_paths( ctx ) ) ++ lt->lt_cacertfile, lt->lt_cacertdir ) ) + { + Debug( LDAP_DEBUG_ANY, "TLS: " + "could not load verify locations (file:`%s',dir:`%s').\n", diff --git a/openldap2.changes b/openldap2.changes index f1edee5..93540d7 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Nov 10 12:55:26 UTC 2016 - hguo@suse.com + +- Introduce patch 0012-use-system-wide-cert-dir-by-default.patch + to let OpenLDAP read system wide certificate directory by + default and avoid hiding the error if user specified CA location + cannot be read (bsc#1009470). + ------------------------------------------------------------------- Fri Oct 14 13:15:23 UTC 2016 - hguo@suse.com diff --git a/openldap2.spec b/openldap2.spec index bbeb889..3021f5f 100644 --- a/openldap2.spec +++ b/openldap2.spec @@ -58,6 +58,7 @@ Patch8: 0008-In-monitor-backend-do-not-return-Connection0-entries.patch Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch Patch11: 0011-openldap-re24-its7796.patch +Patch12: 0012-use-system-wide-cert-dir-by-default.patch Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz Source201: %{name_ppolicy_check_module}.Makefile Source202: %{name_ppolicy_check_module}.conf @@ -251,6 +252,7 @@ gzip -k %{S:203} %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 cp %{SOURCE5} . # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/