[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [BUG,PATCH] slapd unable to import CRL using GnuTLS backend

Thanks for the info, but please submit this to the ITS so that it may be tracked.

Arnaud Ebalard wrote:

When openldap is linked with gnutls for TLS support, a file containing
CRL in PEM format can be provided (in slapd.conf, using TLSCRLFile

The following code in ldap_int_tls_init_ctx() (librairies/libldap/tls.c)
prevents the daemon to start when the option is used:

         if ( lo->ldo_tls_crlfile ) {
                 rc = gnutls_certificate_set_x509_crl_file(
                         ((tls_ctx*) lo->ldo_tls_ctx)->cred,
                         GNUTLS_X509_FMT_PEM );
                 if ( rc<  0 ) goto error_exit;

because gnutls_certificate_set_x509_crl_file() returns the number of CRL
files that have been imported which is stored in rc and returned later
in the function. Caller expects 0, otherwise it reports an error, the
value of rc (below, with 3 CRL in the file) and slapd fails to start:

    ....  main TLS init def ctx failed: 3

The patch below is for 2.4.10, but should apply against all versions (it
applies fine against current Debian version available under Unstable).
Tell me if you have issues.

I recompiled the Debian version with the patch applied and it works as



  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/