[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5577) [BUG, PATCH] slapd unable to import CRL using GnuTLS backend
arno@natisbad.org wrote:
> Full_Name: Arnaud Ebalard
> Version: 2.4.10
> OS: Linux (Debian unstable)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (213.215.50.138)
>
>
> Hi,
>
> When openldap is linked with gnutls for TLS support, a file containing
> CRL in PEM format can be provided (in slapd.conf, using TLSCRLFile
> parameter).
>
> The following code in ldap_int_tls_init_ctx() (librairies/libldap/tls.c)
> prevents the daemon to start when the option is used:
>
> if ( lo->ldo_tls_crlfile ) {
> rc = gnutls_certificate_set_x509_crl_file(
> ((tls_ctx*) lo->ldo_tls_ctx)->cred,
> crlfile,
> GNUTLS_X509_FMT_PEM );
> if ( rc< 0 ) goto error_exit;
> }
>
> because gnutls_certificate_set_x509_crl_file() returns the number of CRL
> files that have been imported which is stored in rc and returned later
> in the function. Caller expects 0, otherwise it reports an error, the
> value of rc (below, with 3 CRL in the file) and slapd fails to start:
>
> .... main TLS init def ctx failed: 3
Thanks, fixed in HEAD.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/