[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7002) Patch - Mozilla NSS - if client cert is bad, VerifyCert allow should warn and try should fail

To: openldap-its@OpenLDAP.org
Subject: (ITS#7002) Patch - Mozilla NSS - if client cert is bad, VerifyCert allow should warn and try should fail
From: rmeggins@redhat.com
Date: Tue, 26 Jul 2011 03:08:26 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Rich Megginson
Version: 2.4.26 (tip of git OPENLDAP_REL_ENG_2_4)
OS: RHEL6
URL: ftp://ftp.openldap.org/incoming/0001-Patch-Mozilla-NSS-if-client-cert-is-bad-VerifyCert-a.patch
Submission from: (NULL) (76.113.106.30)


If the olcTLSVerifyClient is set to a value other than "never", the server
should request that the client send a client certificate for possible use with
client cert auth (e.g. SASL/EXTERNAL).
If set to "allow", if the client sends a cert, and there are problems with it,
the server will warn about problems, but will allow the SSL session to proceed
without a client cert.
If set to "try", if the client sends a cert, and there are problems with it, the
server will warn about those problems, and shutdown the SSL session.
If set to "demand" or "hard", the client must send a cert, and the server will
shutdown the SSL session if there are problems.
I added a new member of the tlsm context structure - tc_warn_only - if this is
set, tlsm_verify_cert will only warn about errors, and only if TRACE level debug
is set.  This allows the server to warn but allow bad certs if "allow" is set,
and warn and fail if "try" is set.

Note: The patch applies on top of ITS#7001 - you cannot apply this patch first,
then the patch to 7001

Prev by Date: (ITS#7001) Patch - Mozilla NSS - memleak - free the return of tlsm_find_and_verify_cert_key
Next by Date: Re: (ITS#6994) Syncrepl with MozNSS inherits TLS context form main configuration breaking some syncrepl setups
Index(es):
- Chronological
- Thread