openldap/openldap-nss-ca-selfsigned.patch
Jan Vcelak 95d8d32fc5 rebase to 2.4.23
- package rebased
- removed embeded db4
- removed patches merged by upstream
- removed no longer required patches
- merged patches doing manpage changes
- merged patches exporting ldif API
- reapplied patches and added description to each one
- removed unnecessary BuildRequires
- cleaned %config, %build and %install sections
- updated database upgrade process:
  - database is exported (slapcat) and reimported (slapadd) when minor
	version of openldap changes (safe and recomended way)
  - database is upgraded (db4) when minor version of db4 package changes
	(this is not done in %post anymore, as the database is not embeded,
	but using triggers)

Resolved: #624616 Bogus links in "SEE ALSO" part of several man-pages
Resolved: #625740 openldap-2.4.23 is available
2010-08-27 14:45:25 +02:00

55 lines
2.1 KiB
Diff

#614545 Mozilla NSS - support use of self signed CA certs as server certs
Resolves: #614545
Upstream: ITS #6589
Author: Rich Megginson <rmeggins@redhat.com>
diff -urNP openldap-2.4.22.old/libraries/libldap/tls_m.c openldap-2.4.22.new/libraries/libldap/tls_m.c
--- openldap-2.4.22.old/libraries/libldap/tls_m.c 2010-04-15 23:26:00.000000000 +0200
+++ openldap-2.4.22.new/libraries/libldap/tls_m.c 2010-07-22 09:56:58.984806148 +0200
@@ -1491,11 +1491,40 @@
status = CERT_VerifyCertificateNow( ctx->tc_certdb, cert,
checkSig, certUsage,
pin_arg, NULL );
- if (status != SECSuccess) {
+ if ( status != SECSuccess ) {
+ /* NSS doesn't like self-signed CA certs that are also used for
+ TLS/SSL server certs (such as generated by openssl req -x509)
+ CERT_VerifyCertificateNow returns SEC_ERROR_UNTRUSTED_ISSUER in that case
+ so, see if the cert and issuer are the same cert
+ */
PRErrorCode errcode = PR_GetError();
- Debug( LDAP_DEBUG_ANY,
- "TLS: error: the certificate %s is not valid - error %d:%s\n",
- certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+
+ if ( errcode == SEC_ERROR_UNTRUSTED_ISSUER ) {
+ CERTCertificate *issuer = CERT_FindCertIssuer( cert, PR_Now(), certUsageSSLServer );
+ if ( NULL == issuer ) {
+ /* no issuer - warn and allow */
+ status = SECSuccess;
+ rc = 0;
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: warning: the server certificate %s has no issuer - "
+ "please check this certificate for validity\n",
+ certname, 0, 0 );
+ } else if ( CERT_CompareCerts( cert, issuer ) ) {
+ /* self signed - warn and allow */
+ status = SECSuccess;
+ rc = 0;
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: warning: using self-signed server certificate %s\n",
+ certname, 0, 0 );
+ }
+ CERT_DestroyCertificate( issuer );
+ }
+
+ if ( status != SECSuccess ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: the certificate %s is not valid - error %d:%s\n",
+ certname, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+ }
} else {
rc = 0; /* success */
}