[Pkg-openldap-devel] r1079 - in openldap/trunk/debian: . patches
vorlon at alioth.debian.org
vorlon at alioth.debian.org
Sat Feb 9 00:29:11 UTC 2008
Author: vorlon
Date: 2008-02-09 00:29:11 +0000 (Sat, 09 Feb 2008)
New Revision: 1079
Added:
openldap/trunk/debian/patches/slapd-tlsverifyclient-default
Modified:
openldap/trunk/debian/changelog
openldap/trunk/debian/patches/series
Log:
* Add new patch, slapd-tlsverifyclient-default, to set the intended default
value of "TLSVerifyClient never" in the right place. Partially addresses
bug #462588.
Modified: openldap/trunk/debian/changelog
===================================================================
--- openldap/trunk/debian/changelog 2008-02-08 22:31:35 UTC (rev 1078)
+++ openldap/trunk/debian/changelog 2008-02-09 00:29:11 UTC (rev 1079)
@@ -14,6 +14,9 @@
* Add new patch, gnutls-ciphers, to fix support for specifying multiple
ciphers with TLSCipherSuite option in slapd.conf. Thanks to Kyle Moffett
<kyle at moffetthome.net> for the patch. Closes LP: #188200.
+ * Add new patch, slapd-tlsverifyclient-default, to set the intended default
+ value of "TLSVerifyClient never" in the right place. Partially addresses
+ bug #462588.
* Add new patch from upstream, entryCSN-backwards-compatibility, to support
auto-converting entryCSN attributes in a previously supported old format,
fixing an upgrade failure. Closes: #462099.
Modified: openldap/trunk/debian/patches/series
===================================================================
--- openldap/trunk/debian/patches/series 2008-02-08 22:31:35 UTC (rev 1078)
+++ openldap/trunk/debian/patches/series 2008-02-09 00:29:11 UTC (rev 1079)
@@ -10,3 +10,4 @@
libldap-symbol-versions
gnutls-ciphers
entryCSN-backwards-compatibility
+slapd-tlsverifyclient-default -p0
Added: openldap/trunk/debian/patches/slapd-tlsverifyclient-default
===================================================================
--- openldap/trunk/debian/patches/slapd-tlsverifyclient-default (rev 0)
+++ openldap/trunk/debian/patches/slapd-tlsverifyclient-default 2008-02-09 00:29:11 UTC (rev 1079)
@@ -0,0 +1,48 @@
+Author: Steve Langasek <vorlon at debian.org>
+
+Set the default value for client certificate checking with TLS/SSL in
+the per-context options, not in the "global" options which are in fact
+never used within slapd.
+
+Partially addresses Debian bug #462588.
+
+Index: servers/slapd/main.c
+===================================================================
+--- servers/slapd/main.c (revision 1074)
++++ servers/slapd/main.c (working copy)
+@@ -736,6 +736,14 @@
+ SERVICE_EXIT( ERROR_SERVICE_SPECIFIC_ERROR, 20 );
+ goto destroy;
+ }
++ /* Library defaults to full certificate checking. This is correct when
++ * a client is verifying a server because all servers should have a
++ * valid cert. But few clients have valid certs, so we want our default
++ * to be no checking. The config file can override this as usual.
++ */
++ rc = LDAP_OPT_X_TLS_NEVER;
++ printf("Initializing the server the right way\n");
++ (void) ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &rc );
+ #endif
+
+ rc = slap_init( serverMode, serverName );
+Index: servers/slapd/init.c
+===================================================================
+--- servers/slapd/init.c (revision 1074)
++++ servers/slapd/init.c (working copy)
+@@ -179,16 +179,6 @@
+ return 1;
+ }
+
+-#ifdef HAVE_TLS
+- /* Library defaults to full certificate checking. This is correct when
+- * a client is verifying a server because all servers should have a
+- * valid cert. But few clients have valid certs, so we want our default
+- * to be no checking. The config file can override this as usual.
+- */
+- rc = 0;
+- (void) ldap_pvt_tls_set_option( NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &rc );
+-#endif
+-
+ if ( frontend_init() ) {
+ slap_debug |= LDAP_DEBUG_NONE;
+ Debug( LDAP_DEBUG_ANY,
More information about the Pkg-openldap-devel
mailing list