Re: (ITS#7287) [PATCH] MozNSS: do not overwrite error in tlsm_verify_cert

[hyc@symas.com]

jvcelak@redhat.com wrote:
> Full_Name: Jan Vcelak
> Version: git master
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/jvcelak-20120605-moznss-overwrite-error-in-tlsm-verify-cert.patch
> Submission from: (NULL) (209.132.186.34)
>
>
> If the peer certificate verification fails and the certificate does not contain
> Basic Constraint Extension, wrong TLS error message is reported by the library.
> In addition, TLS_REQCERT=never does not work in this situation. This is caused
> by overwriting the original error code in tlsm_verify_cert() function.
>
> Attached patch fixes this behavior.

Applied to master.
>
> Old version:
>
> $ ldapsearch -x -ZZ
> ldap_start_tls: Connect error (-11)
>          additional info: TLS error -8157:Certificate extension not found.
>
> Fixed version:
>
> $ ldapsearch -x -ZZ
> ldap_start_tls: Connect error (-11)
>          additional info: TLS error -8172:Peer's certificate issuer has been
> marked as not trusted by the user.
>
>
> The attached file is derived from OpenLDAP Software. All of the modifications to
> OpenLDAP Software represented in the following patch(es) were developed by Red
> Hat. Red Hat has not assigned rights and/or interest in this work to any party.
> I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under
> the following terms.
>
> Red Hat hereby place the following modifications to OpenLDAP Software (and only
> these modifications) into the public domain. Hence, these modifications may be
> freely used and/or redistributed for any purpose with or without attribution
> and/or other notice.
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/