Hello community,
here is the log from the commit of package openldap2 for openSUSE:Factory
checked in at 2016-11-13 22:49:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openldap2 (Old)
and /work/SRC/openSUSE:Factory/.openldap2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openldap2"
Changes:
--------
--- /work/SRC/openSUSE:Factory/openldap2/openldap2.changes 2016-10-22
13:00:11.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.openldap2.new/openldap2.changes 2016-11-13
22:49:58.000000000 +0100
@@ -1,0 +2,8 @@
+Thu Nov 10 12:55:26 UTC 2016 - h...@suse.com
+
+- Introduce patch 0012-use-system-wide-cert-dir-by-default.patch
+ to let OpenLDAP read system wide certificate directory by
+ default and avoid hiding the error if user specified CA location
+ cannot be read (bsc#1009470).
+
+-------------------------------------------------------------------
New:
----
0012-use-system-wide-cert-dir-by-default.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openldap2.spec ++++++
--- /var/tmp/diff_new_pack.lD4HDy/_old 2016-11-13 22:50:00.000000000 +0100
+++ /var/tmp/diff_new_pack.lD4HDy/_new 2016-11-13 22:50:00.000000000 +0100
@@ -58,6 +58,7 @@
Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch
Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch
Patch11: 0011-openldap-re24-its7796.patch
+Patch12: 0012-use-system-wide-cert-dir-by-default.patch
Source200:
%{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
Source201: %{name_ppolicy_check_module}.Makefile
Source202: %{name_ppolicy_check_module}.conf
@@ -251,6 +252,7 @@
%patch9 -p1
%patch10 -p1
%patch11 -p1
+%patch12 -p1
cp %{SOURCE5} .
# Move ppolicy check module and its Makefile into
openldap-2.4/contrib/slapd-modules/
++++++ 0012-use-system-wide-cert-dir-by-default.patch ++++++
The TLS configuration deliberately hid the error in case that user specified CA
locations
cannot be read, by loading CAs from default locations; and when user does not
specify CA
locations, the CAs from default locations are not read at all.
This patch corrects the behaviour so that CAs from default location are used if
user does
not specify a CA location, and user is informed of the error if CAs cannot be
loaded from
the user specified location.
Howard Guo <h...@suse.com> 2016-11-10
diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c
openldap-2.4.41-patched/libraries/libldap/tls_o.c
--- openldap-2.4.41/libraries/libldap/tls_o.c 2015-06-21 02:19:58.000000000
+0200
+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c 2016-11-10
15:10:32.784147041 +0100
@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s
return -1;
}
- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
+ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
+ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: "
+ "could not use default certificate paths", 0,
0, 0 );
+ tlso_report_error();
+ return -1;
+ }
+ } else {
if ( !SSL_CTX_load_verify_locations( ctx,
- lt->lt_cacertfile, lt->lt_cacertdir ) ||
- !SSL_CTX_set_default_verify_paths( ctx ) )
+ lt->lt_cacertfile, lt->lt_cacertdir ) )
{
Debug( LDAP_DEBUG_ANY, "TLS: "
"could not load verify locations
(file:`%s',dir:`%s').\n",
