[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7287) [PATCH] MozNSS: do not overwrite error in tlsm_verify_cert

To: openldap-its@OpenLDAP.org
Subject: (ITS#7287) [PATCH] MozNSS: do not overwrite error in tlsm_verify_cert
From: jvcelak@redhat.com
Date: Tue, 5 Jun 2012 09:53:49 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Jan Vcelak
Version: git master
OS: Linux
URL: ftp://ftp.openldap.org/incoming/jvcelak-20120605-moznss-overwrite-error-in-tlsm-verify-cert.patch
Submission from: (NULL) (209.132.186.34)


If the peer certificate verification fails and the certificate does not contain
Basic Constraint Extension, wrong TLS error message is reported by the library.
In addition, TLS_REQCERT=never does not work in this situation. This is caused
by overwriting the original error code in tlsm_verify_cert() function.

Attached patch fixes this behavior.

Old version:

$ ldapsearch -x -ZZ
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8157:Certificate extension not found.

Fixed version:

$ ldapsearch -x -ZZ
ldap_start_tls: Connect error (-11)
        additional info: TLS error -8172:Peer's certificate issuer has been
marked as not trusted by the user.


The attached file is derived from OpenLDAP Software. All of the modifications to
OpenLDAP Software represented in the following patch(es) were developed by Red
Hat. Red Hat has not assigned rights and/or interest in this work to any party.
I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under
the following terms. 

Red Hat hereby place the following modifications to OpenLDAP Software (and only
these modifications) into the public domain. Hence, these modifications may be
freely used and/or redistributed for any purpose with or without attribution
and/or other notice.

Prev by Date: Re: (ITS#7285) Mozilla NSS: default cipher suite always selected
Next by Date: Re: (ITS#7285) Mozilla NSS: default cipher suite always selected
Index(es):
- Chronological
- Thread