[Date Prev][Date Next]
Re: (ITS#7002) Patch - Mozilla NSS - if client cert is bad, VerifyCert allow should warn and try should fail
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7002) Patch - Mozilla NSS - if client cert is bad, VerifyCert allow should warn and try should fail
- From: firstname.lastname@example.org
- Date: Thu, 28 Jul 2011 21:08:35 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> Full_Name: Rich Megginson
> Version: 2.4.26 (tip of git OPENLDAP_REL_ENG_2_4)
> OS: RHEL6
> URL: ftp://ftp.openldap.org/incoming/0001-Patch-Mozilla-NSS-if-client-cert-is-bad-VerifyCert-a.patch
> Submission from: (NULL) (220.127.116.11)
> If the olcTLSVerifyClient is set to a value other than "never", the server
> should request that the client send a client certificate for possible use with
> client cert auth (e.g. SASL/EXTERNAL).
> If set to "allow", if the client sends a cert, and there are problems with it,
> the server will warn about problems, but will allow the SSL session to proceed
> without a client cert.
> If set to "try", if the client sends a cert, and there are problems with it, the
> server will warn about those problems, and shutdown the SSL session.
> If set to "demand" or "hard", the client must send a cert, and the server will
> shutdown the SSL session if there are problems.
> I added a new member of the tlsm context structure - tc_warn_only - if this is
> set, tlsm_verify_cert will only warn about errors, and only if TRACE level debug
> is set. This allows the server to warn but allow bad certs if "allow" is set,
> and warn and fail if "try" is set.
> Note: The patch applies on top of ITS#7001 - you cannot apply this patch first,
> then the patch to 7001
This patch does not apply cleanly to git master. Please remember the devel
guidelines - all submissions must be relative to git master.
I've cleaned up the rejected parts of this patch so you don't need to resubmit
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/