openldap/openldap-2.4.23-selfsignedcacert.patch

#614545 Mozilla NSS - support use of self signed CA certs as server certs 
upstream: http://www.openldap.org/its/index.cgi issue 6589

diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
--- openldap-2.4.22.old/libraries/libldap/tls_m.c	2010-04-15 23:26:00.000000000 +0200
+++ openldap-2.4.22.new/libraries/libldap/tls_m.c	2010-07-22 09:56:58.984806148 +0200
@@ -1491,11 +1491,40 @@
 		status = CERT_VerifyCertificateNow( ctx->tc_certdb, cert,
 											checkSig, certUsage,
 											pin_arg, NULL );
-		if (status != SECSuccess) {
+		if ( status != SECSuccess ) {
+			/* NSS doesn't like self-signed CA certs that are also used for 
+			   TLS/SSL server certs (such as generated by openssl req -x509)
+			   CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case
+			   so, see if the cert and issuer are the same cert
+			*/
 			PRErrorCode errcode = PR_GetError();
-			Debug( LDAP_DEBUG_ANY,
-				   "TLS: error: the certificate %s is not valid - error %d:%s\n",
-				   certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+
+			if ( errcode == SEC_ERROR_UNTRUSTED_ISSUER ) {
+				CERTCertificate *issuer = CERT_FindCertIssuer( cert, PR_Now(), certUsageSSLServer );
+				if ( NULL == issuer ) {
+					/* no issuer - warn and allow */
+					status = SECSuccess;
+					rc = 0;
+					Debug( LDAP_DEBUG_ANY,
+						   "TLS: warning: the server certificate %s has no issuer - "
+						   "please check this certificate for validity\n",
+						   certname, 0, 0 );
+				} else if ( CERT_CompareCerts( cert, issuer ) ) {
+					/* self signed - warn and allow */
+					status = SECSuccess;
+					rc = 0;
+					Debug( LDAP_DEBUG_ANY,
+						   "TLS: warning: using self-signed server certificate %s\n",
+						   certname, 0, 0 );
+				}
+				CERT_DestroyCertificate( issuer );
+			}
+
+			if ( status != SECSuccess ) {
+				Debug( LDAP_DEBUG_ANY,
+					   "TLS: error: the certificate %s is not valid - error %d:%s\n",
+					   certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+			}
 		} else {
 			rc = 0; /* success */
 		}
Mozilla NSS - delay token auth until needed (#616552) Mozilla NSS - support use of self signed CA certs as server certs (#614545) 2010-07-22 08:11:30 +00:00			`#614545 Mozilla NSS - support use of self signed CA certs as server certs`
			`upstream: http://www.openldap.org/its/index.cgi issue 6589`

			`diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c`
			`--- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-04-15 23:26:00.000000000 +0200`
			`+++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200`
			`@@ -1491,11 +1491,40 @@`
			`status = CERT_VerifyCertificateNow( ctx->tc_certdb, cert,`
			`checkSig, certUsage,`
			`pin_arg, NULL );`
			`- if (status != SECSuccess) {`
			`+ if ( status != SECSuccess ) {`
			`+ /* NSS doesn't like self-signed CA certs that are also used for`
			`+ TLS/SSL server certs (such as generated by openssl req -x509)`
			`+ CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case`
			`+ so, see if the cert and issuer are the same cert`
			`+ */`
			`PRErrorCode errcode = PR_GetError();`
			`- Debug( LDAP_DEBUG_ANY,`
			`- "TLS: error: the certificate %s is not valid - error %d:%s\n",`
			`- certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );`
			`+`
			`+ if ( errcode == SEC_ERROR_UNTRUSTED_ISSUER ) {`
			`+ CERTCertificate *issuer = CERT_FindCertIssuer( cert, PR_Now(), certUsageSSLServer );`
			`+ if ( NULL == issuer ) {`
			`+ /* no issuer - warn and allow */`
			`+ status = SECSuccess;`
			`+ rc = 0;`
			`+ Debug( LDAP_DEBUG_ANY,`
			`+ "TLS: warning: the server certificate %s has no issuer - "`
			`+ "please check this certificate for validity\n",`
			`+ certname, 0, 0 );`
			`+ } else if ( CERT_CompareCerts( cert, issuer ) ) {`
			`+ /* self signed - warn and allow */`
			`+ status = SECSuccess;`
			`+ rc = 0;`
			`+ Debug( LDAP_DEBUG_ANY,`
			`+ "TLS: warning: using self-signed server certificate %s\n",`
			`+ certname, 0, 0 );`
			`+ }`
			`+ CERT_DestroyCertificate( issuer );`
			`+ }`
			`+`
			`+ if ( status != SECSuccess ) {`
			`+ Debug( LDAP_DEBUG_ANY,`
			`+ "TLS: error: the certificate %s is not valid - error %d:%s\n",`
			`+ certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );`
			`+ }`
			`} else {`
			`rc = 0; /* success */`
			`}`