[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6131) "TLSVerifyClient try" not working with GNU TLS

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6131) "TLSVerifyClient try" not working with GNU TLS
From: hyc@symas.com
Date: Mon, 25 May 2009 11:11:56 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

subbarao@computer.org wrote:
> Full_Name: Kartik Subbarao
> Version: 2.4.16
> OS: Debian 5.0.1
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (76.99.175.5)
>
>
> When TLSVerifyClient is set to "try", OpenLDAP improperly rejects SSL
> connections without a client certificate. The problem appears to start with this
> section of code in tls.c around line 1564:
>
> #ifdef HAVE_GNUTLS
>      if ( ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
>          err = tls_cert_verify( ssl );
>          if ( err&&  ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW
> )
>              return err;
>      }
> #endif
>
> tls_cert_verify() calls gnutls_certificate_verify_peers2(), which appears to
> return error 49 when no client certificate is presented. tls_cert_verify()
> doesn't seem to distinguish between this case, and the case of an invalid client
> certificate, returning -1 in both cases.
>
This bug report makes no sense; the code you quoted is not part of OpenLDAP 
2.4.16. The relevant code is in function tlsg_session_accept() in tls_g.c, and 
there is no such bug in that function.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#6140) nadf.schema: AttributeType not found: "lastModifiedTime"
Next by Date: Re: Compile error on tru64 5.1b
Index(es):
- Chronological
- Thread