Full_Name: Rich Megginson Version: 2.4.26 (tip of git OPENLDAP_REL_ENG_2_4) OS: RHEL6 URL: ftp://ftp.openldap.org/incoming/0001-Patch-Mozilla-NSS-if-client-cert-is-bad-VerifyCert-a.patch Submission from: (NULL) (76.113.106.30) If the olcTLSVerifyClient is set to a value other than "never", the server should request that the client send a client certificate for possible use with client cert auth (e.g. SASL/EXTERNAL). If set to "allow", if the client sends a cert, and there are problems with it, the server will warn about problems, but will allow the SSL session to proceed without a client cert. If set to "try", if the client sends a cert, and there are problems with it, the server will warn about those problems, and shutdown the SSL session. If set to "demand" or "hard", the client must send a cert, and the server will shutdown the SSL session if there are problems. I added a new member of the tlsm context structure - tc_warn_only - if this is set, tlsm_verify_cert will only warn about errors, and only if TRACE level debug is set. This allows the server to warn but allow bad certs if "allow" is set, and warn and fail if "try" is set. Note: The patch applies on top of ITS#7001 - you cannot apply this patch first, then the patch to 7001
rmeggins@redhat.com wrote: > Full_Name: Rich Megginson > Version: 2.4.26 (tip of git OPENLDAP_REL_ENG_2_4) > OS: RHEL6 > URL: ftp://ftp.openldap.org/incoming/0001-Patch-Mozilla-NSS-if-client-cert-is-bad-VerifyCert-a.patch > Submission from: (NULL) (76.113.106.30) > > > If the olcTLSVerifyClient is set to a value other than "never", the server > should request that the client send a client certificate for possible use with > client cert auth (e.g. SASL/EXTERNAL). > If set to "allow", if the client sends a cert, and there are problems with it, > the server will warn about problems, but will allow the SSL session to proceed > without a client cert. > If set to "try", if the client sends a cert, and there are problems with it, the > server will warn about those problems, and shutdown the SSL session. > If set to "demand" or "hard", the client must send a cert, and the server will > shutdown the SSL session if there are problems. > I added a new member of the tlsm context structure - tc_warn_only - if this is > set, tlsm_verify_cert will only warn about errors, and only if TRACE level debug > is set. This allows the server to warn but allow bad certs if "allow" is set, > and warn and fail if "try" is set. > > Note: The patch applies on top of ITS#7001 - you cannot apply this patch first, > then the patch to 7001 This patch does not apply cleanly to git master. Please remember the devel guidelines - all submissions must be relative to git master. I've cleaned up the rejected parts of this patch so you don't need to resubmit this one. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
changed notes changed state Open to Test moved from Incoming to Software Bugs
changed notes changed state Test to Release
changed notes changed state Release to Closed
fixed in master fixed in RE24