[email protected] wrote: > Full_Name: Jan Vcelak > Version: git master > OS: Linux > URL: > ftp://ftp.openldap.org/incoming/jvcelak-20120605-moznss-overwrite-error-in-tlsm-verify-cert.patch > Submission from: (NULL) (209.132.186.34) > > > If the peer certificate verification fails and the certificate does not > contain > Basic Constraint Extension, wrong TLS error message is reported by the > library. > In addition, TLS_REQCERT=never does not work in this situation. This is caused > by overwriting the original error code in tlsm_verify_cert() function. > > Attached patch fixes this behavior.
Applied to master. > > Old version: > > $ ldapsearch -x -ZZ > ldap_start_tls: Connect error (-11) > additional info: TLS error -8157:Certificate extension not found. > > Fixed version: > > $ ldapsearch -x -ZZ > ldap_start_tls: Connect error (-11) > additional info: TLS error -8172:Peer's certificate issuer has been > marked as not trusted by the user. > > > The attached file is derived from OpenLDAP Software. All of the modifications > to > OpenLDAP Software represented in the following patch(es) were developed by Red > Hat. Red Hat has not assigned rights and/or interest in this work to any > party. > I, Jan Vcelak am authorized by Red Hat, my employer, to release this work > under > the following terms. > > Red Hat hereby place the following modifications to OpenLDAP Software (and > only > these modifications) into the public domain. Hence, these modifications may be > freely used and/or redistributed for any purpose with or without attribution > and/or other notice. > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
