1
fix: ldapsearch fails if no CA certificate is available
3
OpenLDAP built with OpenSSL allows most any value of cacertdir - directory
4
is a file, directory does not contain any CA certs, directory does not
5
exist - users expect if they specify TLS_REQCERT=never, no matter what
6
the TLS_CACERTDIR setting is, TLS/SSL will just work.
7
TLS_CACERT, on the other hand, is a hard error. Even if TLS_REQCERT=never,
8
if TLS_CACERT is specified and is not a valid CA cert file, TLS/SSL will
9
fail. This patch makes CACERT errors hard errors, and makes CACERTDIR
10
errors "soft" errors. The code checks CACERT first and, even though
11
the function will return an error, checks CACERTDIR anyway so that if the
12
user sets TRACE mode they will get CACERTDIR processing messages.
14
Author: Rich Megginson <rmeggins@redhat.com>
16
Upstream commit: 7e528ae8022664b550410cdbe23690719d1a66a7
19
diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
20
index 911885d..7be703b 100644
21
--- a/libraries/libldap/tls_m.c
22
+++ b/libraries/libldap/tls_m.c
23
@@ -1320,7 +1320,7 @@ static int
24
tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir )
26
PRBool isca = PR_TRUE;
27
- PRStatus status = PR_FAILURE;
28
+ PRStatus status = PR_SUCCESS;
29
PRErrorCode errcode = PR_SUCCESS;
31
if ( !cacertfile && !cacertdir ) {
32
@@ -1336,14 +1336,24 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
33
"TLS: %s is not a valid CA certificate file - error %d:%s.\n",
35
PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
36
+ /* failure with cacertfile is a hard failure even if cacertdir is
37
+ also specified and contains valid CA cert files */
38
+ status = PR_FAILURE;
40
Debug( LDAP_DEBUG_TRACE,
41
"TLS: loaded CA certificate file %s.\n",
43
- status = PR_SUCCESS; /* have at least one good CA - we can proceed */
47
+ /* if cacertfile above failed, we will return failure, even
48
+ if there is a valid CA cert in cacertdir - but we still
49
+ process cacertdir in case the user has enabled trace level
50
+ debugging so they can see the processing for cacertdir too */
51
+ /* any cacertdir failures are "soft" failures - if the user specifies
52
+ no cert checking, then we allow the tls/ssl to continue, no matter
53
+ what was specified for cacertdir, or the contents of the directory
54
+ - this is different behavior than that of cacertfile */
58
@@ -1397,7 +1407,6 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
59
Debug( LDAP_DEBUG_TRACE,
60
"TLS: loaded CA certificate file %s from CA certificate directory %s.\n",
61
fullpath, cacertdir, 0 );
62
- status = PR_SUCCESS; /* found at least 1 valid CA file in the dir */
64
errcode = PR_GetError();
65
Debug( LDAP_DEBUG_TRACE,
66
@@ -1412,14 +1421,6 @@ tlsm_init_ca_certs( tlsm_ctx *ctx, const char *cacertfile, const char *cacertdir
69
if ( status != PR_SUCCESS ) {
70
- const char *fmtstr = NULL;
71
- if ( cacertfile && cacertdir ) {
72
- fmtstr = "TLS: did not find any valid CA certificates in %s or %s\n";
74
- fmtstr = "TLS: did not find any valid CA certificates in %s%s\n";
76
- Debug( LDAP_DEBUG_ANY, fmtstr, cacertdir ? cacertdir : "",
77
- cacertfile ? cacertfile : "", 0 );