57 lines
1.8 KiB
Diff
57 lines
1.8 KiB
Diff
MozNSS: allow CA certdb together with PEM CA bundle file
|
|
|
|
Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate
|
|
database and TLS_CACERT was set to a PEM bundle file with CA
|
|
certificates, the PEM file content was not loaded.
|
|
|
|
With this patch and the same settings, OpenLDAP can verify certificates
|
|
which are signed by CAs stored both in certdb and PEM bundle file.
|
|
|
|
Author: Jan Vcelak <jvcelak@redhat.com>
|
|
Resolves: #819536
|
|
Upstream ITS: #7276
|
|
|
|
---
|
|
libraries/libldap/tls_m.c | 16 +++++++++++++---
|
|
1 files changed, 13 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
|
|
index 50c03dd..23d843c 100644
|
|
--- a/libraries/libldap/tls_m.c
|
|
+++ b/libraries/libldap/tls_m.c
|
|
@@ -1683,18 +1683,28 @@ tlsm_deferred_init( void *arg )
|
|
ctx->tc_initctx = initctx;
|
|
#endif
|
|
|
|
+ }
|
|
+
|
|
+ if ( errcode || lt->lt_cacertfile ) {
|
|
/* initialize the PEM module */
|
|
LDAP_MUTEX_LOCK( &tlsm_init_mutex );
|
|
if ( tlsm_init_pem_module() ) {
|
|
LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
|
|
- errcode = PORT_GetError();
|
|
+ int pem_errcode = PORT_GetError();
|
|
Debug( LDAP_DEBUG_ANY,
|
|
"TLS: could not initialize moznss PEM module - error %d:%s.\n",
|
|
- errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
|
- return -1;
|
|
+ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
|
|
+
|
|
+ if ( errcode ) /* PEM is required */
|
|
+ return -1;
|
|
+
|
|
+ } else if ( !errcode ) {
|
|
+ tlsm_init_ca_certs( ctx, lt->lt_cacertfile, NULL );
|
|
}
|
|
LDAP_MUTEX_UNLOCK( &tlsm_init_mutex );
|
|
+ }
|
|
|
|
+ if ( errcode ) {
|
|
if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) {
|
|
/* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode
|
|
will be a value other than 1 - print an error message so that the
|
|
--
|
|
1.7.7.6
|
|
|