[SCM] Debian packaging of libnet-ldap-perl branch, master, updated. debian/0.4300-1-2-gfd2100c

Fri Dec 2 14:41:07 UTC 2011

The following commit has been merged in the master branch:
commit 80832d2a9f54444d0d91a6f3f3407d406e98eeb2
Author: gregor herrmann <gregoa at debian.org>
Date:   Fri Dec 2 15:26:35 2011 +0100

    Add patch 0001-un-break-certificate-verification.patch,
    
    taken from upstream's "next" branch (commits a3c4f7f from Peter Marschall
    and db0b090 from Graham Barr): un-break certificate verification.
    
    Closes: #640883

diff --git a/debian/patches/0001-un-break-certificate-verification.patch b/debian/patches/0001-un-break-certificate-verification.patch
new file mode 100644
index 0000000..6c01330
--- /dev/null
+++ b/debian/patches/0001-un-break-certificate-verification.patch
@@ -0,0 +1,73 @@
+From a3c4f7fe85129b036d915c9064752d9b542ad803 Mon Sep 17 00:00:00 2001
+From: Peter Marschall <peter at adpm.de>
+Date: Wed, 7 Sep 2011 13:21:48 +0200
+Subject: [PATCH] un-break certificate verification
+
+Commit 041d540 "Specify that we want to use the 'ldap' scheme to verify
+certificates" unconditionally set IO:Socket::SSL's SSL_verify_cn_scheme
+'ldap'.
+
+In principle this is a good thing: it allows to verify whether the name of
+the host we connect to matches the host name in the certificate presented.
+
+But doing it unconditionally led to some trouble:
+* it broke $ldap->start_tls() completely.
+  see SSL_verifycn_name in IO::Socket::SSL(3) for why
+* in the case of sslverify = 'none' it created a warning
+  on every connect.
+
+This commit fixes both issues.
+---
+ lib/Net/LDAP.pm |   11 ++++++++++-
+ 1 files changed, 10 insertions(+), 1 deletions(-)
+
+~~~
+
+From db0b09089531629c58d61f3c7d8b5daab7fd22a4 Mon Sep 17 00:00:00 2001
+From: Graham Barr <gbarr at pobox.com>
+Date: Fri, 23 Sep 2011 10:06:58 -0500
+Subject: [PATCH] fix copy & paste typo
+
+---
+ lib/Net/LDAP.pm |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+--- a/lib/Net/LDAP.pm
++++ b/lib/Net/LDAP.pm
+@@ -192,11 +192,18 @@
+   my $arg = shift;
+ 
+   my $verify = 0;
++  my %verifycn_ctx = ();
+   my ($clientcert,$clientkey,$passwdcb);
+ 
+   if (exists $arg->{'verify'}) {
+       my $v = lc $arg->{'verify'};
+       $verify = 0 + (exists $ssl_verify{$v} ? $ssl_verify{$v} : $verify);
++
++      if ($verify) {
++        $verifycn_ctx{SSL_verifycn_scheme} = "ldap";
++        $verifycn_ctx{SSL_verifycn_name} = $arg->{'sslserver'}
++          if (defined $arg->{'sslserver'});
++      }
+   }
+ 
+   if (exists $arg->{'clientcert'}) {
+@@ -230,7 +237,7 @@
+     SSL_verify_mode     => $verify,
+     SSL_version         => defined $arg->{'sslversion'} ? $arg->{'sslversion'} :
+                            'sslv2/3',
+-    SSL_verifycn_scheme => "ldap",
++    %verifycn_ctx,
+   );
+ }
+ 
+@@ -1031,6 +1038,8 @@
+   delete $ldap->{net_ldap_root_dse};
+ 
+   $arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion};
++  $arg->{sslserver} = $ldap->{'net_ldap_host'} unless defined $arg->{sslserver};
++
+   IO::Socket::SSL::context_init( { _SSL_context_init_args($arg) } );
+   my $sock_class = ref($sock);
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 5622f22..625fa88 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 fix-pod-spelling.patch
+0001-un-break-certificate-verification.patch

-- 
Debian packaging of libnet-ldap-perl

