Hello community, here is the log from the commit of package openldap2 for openSUSE:Factory checked in at 2016-11-13 22:49:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openldap2 (Old) and /work/SRC/openSUSE:Factory/.openldap2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openldap2" Changes: -------- --- /work/SRC/openSUSE:Factory/openldap2/openldap2.changes 2016-10-22 13:00:11.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openldap2.new/openldap2.changes 2016-11-13 22:49:58.000000000 +0100 @@ -1,0 +2,8 @@ +Thu Nov 10 12:55:26 UTC 2016 - h...@suse.com + +- Introduce patch 0012-use-system-wide-cert-dir-by-default.patch + to let OpenLDAP read system wide certificate directory by + default and avoid hiding the error if user specified CA location + cannot be read (bsc#1009470). + +------------------------------------------------------------------- New: ---- 0012-use-system-wide-cert-dir-by-default.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2.spec ++++++ --- /var/tmp/diff_new_pack.lD4HDy/_old 2016-11-13 22:50:00.000000000 +0100 +++ /var/tmp/diff_new_pack.lD4HDy/_new 2016-11-13 22:50:00.000000000 +0100 @@ -58,6 +58,7 @@ Patch9: 0009-Fix-ldap-host-lookup-ipv6.patch Patch10: 0010-Enforce-minimum-DH-size-of-1024.patch Patch11: 0011-openldap-re24-its7796.patch +Patch12: 0012-use-system-wide-cert-dir-by-default.patch Source200: %{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz Source201: %{name_ppolicy_check_module}.Makefile Source202: %{name_ppolicy_check_module}.conf @@ -251,6 +252,7 @@ %patch9 -p1 %patch10 -p1 %patch11 -p1 +%patch12 -p1 cp %{SOURCE5} . # Move ppolicy check module and its Makefile into openldap-2.4/contrib/slapd-modules/ ++++++ 0012-use-system-wide-cert-dir-by-default.patch ++++++ The TLS configuration deliberately hid the error in case that user specified CA locations cannot be read, by loading CAs from default locations; and when user does not specify CA locations, the CAs from default locations are not read at all. This patch corrects the behaviour so that CAs from default location are used if user does not specify a CA location, and user is informed of the error if CAs cannot be loaded from the user specified location. Howard Guo <h...@suse.com> 2016-11-10 diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c openldap-2.4.41-patched/libraries/libldap/tls_o.c --- openldap-2.4.41/libraries/libldap/tls_o.c 2015-06-21 02:19:58.000000000 +0200 +++ openldap-2.4.41-patched/libraries/libldap/tls_o.c 2016-11-10 15:10:32.784147041 +0100 @@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s return -1; } - if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) { + if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) { + if ( !SSL_CTX_set_default_verify_paths( ctx ) ) { + Debug( LDAP_DEBUG_ANY, "TLS: " + "could not use default certificate paths", 0, 0, 0 ); + tlso_report_error(); + return -1; + } + } else { if ( !SSL_CTX_load_verify_locations( ctx, - lt->lt_cacertfile, lt->lt_cacertdir ) || - !SSL_CTX_set_default_verify_paths( ctx ) ) + lt->lt_cacertfile, lt->lt_cacertdir ) ) { Debug( LDAP_DEBUG_ANY, "TLS: " "could not load verify locations (file:`%s',dir:`%s').\n",