Hello community,

here is the log from the commit of package openldap2 for openSUSE:Factory 
checked in at 2016-11-13 22:49:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openldap2 (Old)
 and      /work/SRC/openSUSE:Factory/.openldap2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "openldap2"

Changes:
--------
--- /work/SRC/openSUSE:Factory/openldap2/openldap2.changes      2016-10-22 
13:00:11.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.openldap2.new/openldap2.changes 2016-11-13 
22:49:58.000000000 +0100
@@ -1,0 +2,8 @@
+Thu Nov 10 12:55:26 UTC 2016 - h...@suse.com
+
+- Introduce patch 0012-use-system-wide-cert-dir-by-default.patch
+  to let OpenLDAP read system wide certificate directory by
+  default and avoid hiding the error if user specified CA location
+  cannot be read (bsc#1009470).
+
+-------------------------------------------------------------------

New:
----
  0012-use-system-wide-cert-dir-by-default.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ openldap2.spec ++++++
--- /var/tmp/diff_new_pack.lD4HDy/_old  2016-11-13 22:50:00.000000000 +0100
+++ /var/tmp/diff_new_pack.lD4HDy/_new  2016-11-13 22:50:00.000000000 +0100
@@ -58,6 +58,7 @@
 Patch9:         0009-Fix-ldap-host-lookup-ipv6.patch
 Patch10:        0010-Enforce-minimum-DH-size-of-1024.patch
 Patch11:        0011-openldap-re24-its7796.patch
+Patch12:        0012-use-system-wide-cert-dir-by-default.patch
 Source200:      
%{name_ppolicy_check_module}-%{version_ppolicy_check_module}.tar.gz
 Source201:      %{name_ppolicy_check_module}.Makefile
 Source202:      %{name_ppolicy_check_module}.conf
@@ -251,6 +252,7 @@
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 cp %{SOURCE5} .
 
 # Move ppolicy check module and its Makefile into 
openldap-2.4/contrib/slapd-modules/

++++++ 0012-use-system-wide-cert-dir-by-default.patch ++++++
The TLS configuration deliberately hid the error in case that user specified CA 
locations
cannot be read, by loading CAs from default locations; and when user does not 
specify CA
locations, the CAs from default locations are not read at all.

This patch corrects the behaviour so that CAs from default location are used if 
user does
not specify a CA location, and user is informed of the error if CAs cannot be 
loaded from
the user specified location.

Howard Guo <h...@suse.com> 2016-11-10

diff -rupN openldap-2.4.41/libraries/libldap/tls_o.c 
openldap-2.4.41-patched/libraries/libldap/tls_o.c
--- openldap-2.4.41/libraries/libldap/tls_o.c   2015-06-21 02:19:58.000000000 
+0200
+++ openldap-2.4.41-patched/libraries/libldap/tls_o.c   2016-11-10 
15:10:32.784147041 +0100
@@ -253,10 +253,16 @@ tlso_ctx_init( struct ldapoptions *lo, s
                return -1;
        }
 
-       if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
+       if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
+               if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
+                       Debug( LDAP_DEBUG_ANY, "TLS: "
+                               "could not use default certificate paths", 0, 
0, 0 );
+                       tlso_report_error();
+                       return -1;
+               }
+       } else {
                if ( !SSL_CTX_load_verify_locations( ctx,
-                               lt->lt_cacertfile, lt->lt_cacertdir ) ||
-                       !SSL_CTX_set_default_verify_paths( ctx ) )
+                               lt->lt_cacertfile, lt->lt_cacertdir ) )
                {
                        Debug( LDAP_DEBUG_ANY, "TLS: "
                                "could not load verify locations 
(file:`%s',dir:`%s').\n",

Reply via email to