[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7276) [PATCH] MozNSS: allow CA certdb together with PEM CA bundle file

jvcelak@redhat.com wrote:
> Full_Name: Jan Vcelak
> Version: master
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/jvcelak-20120518-update-nss-allow-ca-certdb-with-pem-ca-bundle.patch
> Submission from: (NULL) (
> With Mozilla NSS crypto backend:
> Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate
> database and TLS_CACERT was set to a PEM bundle file with CA
> certificates, the PEM file content was not loaded.
> With this patch and the same settings, OpenLDAP can verify certificates
> which are signed by CAs stored both in certdb and PEM bundle file.

Thanks for the patch, added to master.
> This problem was found with FreeIPA which is setting CA PEM bundle using
> ldap_set_option(&ld, LDAP_OPT_X_TLS_CACERTFILE, ...), while TLS_CACERTDIR with
> certdb is set in system ldap.conf file.
> The attached file is derived from OpenLDAP Software. All of the modifications to
> OpenLDAP Software represented in the following patch(es) were developed by Red
> Hat. Red Hat has not assigned rights and/or interest in this work to any party.
> I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under
> the following terms.
> Red Hat hereby place the following modifications to OpenLDAP Software (and only
> these modifications) into the public domain. Hence, these modifications may be
> freely used and/or redistributed for any purpose with or without attribution
> and/or other notice.

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/