#614545 Mozilla NSS - support use of self signed CA certs as server certs upstream: http://www.openldap.org/its/index.cgi issue 6589 diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c --- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-04-15 23:26:00.000000000 +0200 +++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200 @@ -1491,11 +1491,40 @@ status = CERT_VerifyCertificateNow( ctx->tc_certdb, cert, checkSig, certUsage, pin_arg, NULL ); - if (status != SECSuccess) { + if ( status != SECSuccess ) { + /* NSS doesn't like self-signed CA certs that are also used for + TLS/SSL server certs (such as generated by openssl req -x509) + CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case + so, see if the cert and issuer are the same cert + */ PRErrorCode errcode = PR_GetError(); - Debug( LDAP_DEBUG_ANY, - "TLS: error: the certificate %s is not valid - error %d:%s\n", - certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); + + if ( errcode == SEC_ERROR_UNTRUSTED_ISSUER ) { + CERTCertificate *issuer = CERT_FindCertIssuer( cert, PR_Now(), certUsageSSLServer ); + if ( NULL == issuer ) { + /* no issuer - warn and allow */ + status = SECSuccess; + rc = 0; + Debug( LDAP_DEBUG_ANY, + "TLS: warning: the server certificate %s has no issuer - " + "please check this certificate for validity\n", + certname, 0, 0 ); + } else if ( CERT_CompareCerts( cert, issuer ) ) { + /* self signed - warn and allow */ + status = SECSuccess; + rc = 0; + Debug( LDAP_DEBUG_ANY, + "TLS: warning: using self-signed server certificate %s\n", + certname, 0, 0 ); + } + CERT_DestroyCertificate( issuer ); + } + + if ( status != SECSuccess ) { + Debug( LDAP_DEBUG_ANY, + "TLS: error: the certificate %s is not valid - error %d:%s\n", + certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) ); + } } else { rc = 0; /* success */ }