[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5577) [BUG, PATCH] slapd unable to import CRL using GnuTLS backend

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5577) [BUG, PATCH] slapd unable to import CRL using GnuTLS backend
From: hyc@symas.com
Date: Tue, 24 Jun 2008 18:15:20 GMT

arno@natisbad.org wrote:
> Full_Name: Arnaud Ebalard
> Version: 2.4.10
> OS: Linux (Debian unstable)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (213.215.50.138)
>
>
> Hi,
>
> When openldap is linked with gnutls for TLS support, a file containing
> CRL in PEM format can be provided (in slapd.conf, using TLSCRLFile
> parameter).
>
> The following code in ldap_int_tls_init_ctx() (librairies/libldap/tls.c)
> prevents the daemon to start when the option is used:
>
>          if ( lo->ldo_tls_crlfile ) {
>                  rc = gnutls_certificate_set_x509_crl_file(
>                          ((tls_ctx*) lo->ldo_tls_ctx)->cred,
>                          crlfile,
>                          GNUTLS_X509_FMT_PEM );
>                  if ( rc<  0 ) goto error_exit;
>          }
>
> because gnutls_certificate_set_x509_crl_file() returns the number of CRL
> files that have been imported which is stored in rc and returned later
> in the function. Caller expects 0, otherwise it reports an error, the
> value of rc (below, with 3 CRL in the file) and slapd fails to start:
>
>     ....  main TLS init def ctx failed: 3

Thanks, fixed in HEAD.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#5577) [BUG, PATCH] slapd unable to import CRL using GnuTLS backend
Next by Date: Re: (ITS#5576) Missing attribute type 'managedInfo' referenced with SUP
Index(es):
- Chronological
- Thread