[SCM] Debian packaging of libnet-ldap-perl branch, master, updated. debian/0.4300-1-2-gfd2100c
gregor herrmann
gregoa at debian.org
Fri Dec 2 14:41:07 UTC 2011
The following commit has been merged in the master branch:
commit 80832d2a9f54444d0d91a6f3f3407d406e98eeb2
Author: gregor herrmann <gregoa at debian.org>
Date: Fri Dec 2 15:26:35 2011 +0100
Add patch 0001-un-break-certificate-verification.patch,
taken from upstream's "next" branch (commits a3c4f7f from Peter Marschall
and db0b090 from Graham Barr): un-break certificate verification.
Closes: #640883
diff --git a/debian/patches/0001-un-break-certificate-verification.patch b/debian/patches/0001-un-break-certificate-verification.patch
new file mode 100644
index 0000000..6c01330
--- /dev/null
+++ b/debian/patches/0001-un-break-certificate-verification.patch
@@ -0,0 +1,73 @@
+From a3c4f7fe85129b036d915c9064752d9b542ad803 Mon Sep 17 00:00:00 2001
+From: Peter Marschall <peter at adpm.de>
+Date: Wed, 7 Sep 2011 13:21:48 +0200
+Subject: [PATCH] un-break certificate verification
+
+Commit 041d540 "Specify that we want to use the 'ldap' scheme to verify
+certificates" unconditionally set IO:Socket::SSL's SSL_verify_cn_scheme
+'ldap'.
+
+In principle this is a good thing: it allows to verify whether the name of
+the host we connect to matches the host name in the certificate presented.
+
+But doing it unconditionally led to some trouble:
+* it broke $ldap->start_tls() completely.
+ see SSL_verifycn_name in IO::Socket::SSL(3) for why
+* in the case of sslverify = 'none' it created a warning
+ on every connect.
+
+This commit fixes both issues.
+---
+ lib/Net/LDAP.pm | 11 ++++++++++-
+ 1 files changed, 10 insertions(+), 1 deletions(-)
+
+~~~
+
+From db0b09089531629c58d61f3c7d8b5daab7fd22a4 Mon Sep 17 00:00:00 2001
+From: Graham Barr <gbarr at pobox.com>
+Date: Fri, 23 Sep 2011 10:06:58 -0500
+Subject: [PATCH] fix copy & paste typo
+
+---
+ lib/Net/LDAP.pm | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+--- a/lib/Net/LDAP.pm
++++ b/lib/Net/LDAP.pm
+@@ -192,11 +192,18 @@
+ my $arg = shift;
+
+ my $verify = 0;
++ my %verifycn_ctx = ();
+ my ($clientcert,$clientkey,$passwdcb);
+
+ if (exists $arg->{'verify'}) {
+ my $v = lc $arg->{'verify'};
+ $verify = 0 + (exists $ssl_verify{$v} ? $ssl_verify{$v} : $verify);
++
++ if ($verify) {
++ $verifycn_ctx{SSL_verifycn_scheme} = "ldap";
++ $verifycn_ctx{SSL_verifycn_name} = $arg->{'sslserver'}
++ if (defined $arg->{'sslserver'});
++ }
+ }
+
+ if (exists $arg->{'clientcert'}) {
+@@ -230,7 +237,7 @@
+ SSL_verify_mode => $verify,
+ SSL_version => defined $arg->{'sslversion'} ? $arg->{'sslversion'} :
+ 'sslv2/3',
+- SSL_verifycn_scheme => "ldap",
++ %verifycn_ctx,
+ );
+ }
+
+@@ -1031,6 +1038,8 @@
+ delete $ldap->{net_ldap_root_dse};
+
+ $arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion};
++ $arg->{sslserver} = $ldap->{'net_ldap_host'} unless defined $arg->{sslserver};
++
+ IO::Socket::SSL::context_init( { _SSL_context_init_args($arg) } );
+ my $sock_class = ref($sock);
+
diff --git a/debian/patches/series b/debian/patches/series
index 5622f22..625fa88 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
fix-pod-spelling.patch
+0001-un-break-certificate-verification.patch
--
Debian packaging of libnet-ldap-perl
More information about the Pkg-perl-cvs-commits
mailing list