[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#5582) Default OpenSSL certs are only used when TLS_CACERT(DIR)



Full_Name: Hallvard B Furuseth
Version: HEAD, 2.3, 2.4
OS: Linux
URL: ftp://ftp.openldap.org/incoming/Hallvard-Furuseth-080627.diff
Submission from: (NULL) (129.240.6.233)
Submitted by: hallvard


OpenLDAP only uses the default certificates installed with OpenSSL if
TLS_CACERT or TLS_CACERTDIR is set.  Or presumably
TLSCACertificate<File/Dir> in servers, but the libldap/tls.c code for
servers seem to require a certificate chain from that directory anyway.

To reproduce:
  $ export LDAPCONF=/dev/null
  $ ldapwhoami -xZZh ldap.uio.no
  certificate verify failed
  $ export LDAPTLS_CACERT="*any* certificate.pem file"
  $ ldapwhoami -xZZh ldap.uio.no
  anonymous

  Or if it still fails, find where OpenSSL wants its default certs:
    strace ldapwhoami -xZZh ldap.uio.no 2>&1 | grep ssl
  and temporarily append the root cert which signed our server cert from
	https://secure.globalsign.net/cacert/CT_Root_CA.pem
  Then try again.  Something like /usr/local/ssl/cert.pem.
  $ ldapwhoami -xZZh ldap.uio.no
  anonymous
  $ unset LDAPTLS_CACERT; ldapwhoami -xZZh ldap.uio.no
  certificate verify failed

The relevant code is in libldap/tls.c:ldap_int_tls_init_ctx().
I enclose a tentative patch which fixes the above problem, but
I'm not sure it's the right one for servers and GnuTLS.

The GnuTLS branch does not require a server TLSCACertificateFile,
but the OpenSSL code does.  I don't know if GnuTLS has a default
which is used instead, nor if OpenSSL can have that.