Package: slapd
Version: 2.4.15-1p
Followup-For: Bug #505191
The attached patch fixes the
TLSVerifyclient try
issue for me.
It also fixes a few compiler warnings.
-- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages slapd depends on:
ii adduser 3.110 add and remove users and groups
ii coreutils 6.10-6 The GNU core utilities
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libdb4.7 4.7.25-6 Berkeley v4.7 Database Libraries [
ii libgnutls26 2.6.4-2 the GNU TLS library - runtime libr
ii libgssapi2-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - GSSAPI support
ii libldap-2.4-2 2.4.15-1pm1 OpenLDAP libraries
ii libltdl3 1.5.26-4 A system independent dlopen wrappe
ii libperl5.10 5.10.0-19 Shared Perl library
ii libsasl2-2 2.1.22.dfsg1-23 Cyrus SASL - authentication abstra
ii libslp1 1.2.1-7.5 OpenSLP libraries
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
ii perl [libmime-base64-per 5.10.0-19 Larry Wall's Practical Extraction
ii psmisc 22.6-1 Utilities that use the proc filesy
ii unixodbc 2.2.11-16 ODBC tools libraries
Versions of packages slapd recommends:
ii libsasl2-modules 2.1.22.dfsg1-23 Cyrus SASL - pluggable authenticat
Versions of packages slapd suggests:
ii ldap-utils 2.4.15-1pm1 OpenLDAP utilities
-- debconf information excluded
--- libraries/libldap/tls_g.c
+++ libraries/libldap/tls_g.c 2009-02-28 23:18:09.000000000 +0100
@@ -402,9 +402,18 @@
rc = gnutls_handshake( s->session );
if ( rc == 0 && s->ctx->lo->ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
- rc = tlsg_cert_verify( s );
- if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
+ const gnutls_datum_t *peer_cert_list;
+ unsigned int list_size;
+
+ peer_cert_list = gnutls_certificate_get_peers( s->session,
+ &list_size );
+ if ( !peer_cert_list && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_TRY )
rc = 0;
+ else {
+ rc = tlsg_cert_verify( s );
+ if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
+ rc = 0;
+ }
}
return rc;
}
@@ -496,7 +505,7 @@
tlsg_session *s = (tlsg_session *)session;
if ( !s->peer_der_dn.bv_val ) {
const gnutls_datum_t *peer_cert_list;
- int list_size;
+ unsigned int list_size;
struct berval bv;
peer_cert_list = gnutls_certificate_get_peers( s->session,
@@ -525,7 +534,7 @@
tlsg_session *s = (tlsg_session *)session;
int i, ret;
const gnutls_datum_t *peer_cert_list;
- int list_size;
+ unsigned int list_size;
struct berval bv;
char altname[NI_MAXHOST];
size_t altnamesize;
@@ -542,7 +551,6 @@
#endif
int n, len1 = 0, len2 = 0;
int ntype = IS_DNS;
- time_t now = time(0);
if( ldap_int_hostname &&
( !name_in || !strcasecmp( name_in, "localhost" ) ) )
@@ -965,6 +973,7 @@
unsigned int status = 0;
int err;
time_t now = time(0);
+ time_t peertime;
err = gnutls_certificate_verify_peers2( ssl->session, &status );
if ( err < 0 ) {
@@ -977,12 +986,24 @@
status, 0,0 );
return -1;
}
- if ( gnutls_certificate_expiration_time_peers( ssl->session ) < now ) {
+ peertime = gnutls_certificate_expiration_time_peers( ssl->session );
+ if ( peertime == (time_t) -1 ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_expiration_time_peers failed\n",
+ 0, 0, 0 );
+ return -1;
+ }
+ if ( peertime < now ) {
Debug( LDAP_DEBUG_ANY, "TLS: peer certificate is expired\n",
0, 0, 0 );
return -1;
}
- if ( gnutls_certificate_activation_time_peers( ssl->session ) > now ) {
+ peertime = gnutls_certificate_activation_time_peers( ssl->session );
+ if ( peertime == (time_t) -1 ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: gnutls_certificate_activation_time_peers failed\n",
+ 0, 0, 0 );
+ return -1;
+ }
+ if ( peertime > now ) {
Debug( LDAP_DEBUG_ANY, "TLS: peer certificate not yet active\n",
0, 0, 0 );
return -1;
