[email protected] wrote: > Full_Name: Rich Megginson > Version: 2.4.26 (tip of git OPENLDAP_REL_ENG_2_4) > OS: RHEL6 > URL: > ftp://ftp.openldap.org/incoming/0001-Patch-Mozilla-NSS-if-client-cert-is-bad-VerifyCert-a.patch > Submission from: (NULL) (76.113.106.30) > > > If the olcTLSVerifyClient is set to a value other than "never", the server > should request that the client send a client certificate for possible use with > client cert auth (e.g. SASL/EXTERNAL). > If set to "allow", if the client sends a cert, and there are problems with it, > the server will warn about problems, but will allow the SSL session to proceed > without a client cert. > If set to "try", if the client sends a cert, and there are problems with it, > the > server will warn about those problems, and shutdown the SSL session. > If set to "demand" or "hard", the client must send a cert, and the server will > shutdown the SSL session if there are problems. > I added a new member of the tlsm context structure - tc_warn_only - if this is > set, tlsm_verify_cert will only warn about errors, and only if TRACE level > debug > is set. This allows the server to warn but allow bad certs if "allow" is set, > and warn and fail if "try" is set. > > Note: The patch applies on top of ITS#7001 - you cannot apply this patch > first, > then the patch to 7001
This patch does not apply cleanly to git master. Please remember the devel guidelines - all submissions must be relative to git master. I've cleaned up the rejected parts of this patch so you don't need to resubmit this one. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
