mirror/openldap
2
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2024-12-15 03:01:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

ITS#8529 Avoid hiding the error if user specified CA does not load

Browse Source 
The TLS configuration deliberately hid the error in case that
user specified CA locations cannot be read, by loading CAs from default
locations; and when user does not specify CA locations, the CAs from default
locations are not read at all.

This patch corrects the behaviour so that CAs from default location are used
if user does not specify a CA location, and user is informed of the error if
CAs cannot be loaded from the user specified location.
This commit is contained in:
Howard Guo 2016-11-10 15:39:03 +01:00 committed by Quanah Gibson-Mount
parent ef60799568
commit 4962dd6083
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
libraries/libldap/tls_o.c
View File

@ -257,10 +257,16 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
return -1;
}
if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
Debug( LDAP_DEBUG_ANY, "TLS: "
"could not use default certificate paths", 0, 0, 0 );
tlso_report_error();
return -1;
}
} else {
if ( !SSL_CTX_load_verify_locations( ctx,
lt->lt_cacertfile, lt->lt_cacertdir ) ||
!SSL_CTX_set_default_verify_paths( ctx ) )
lt->lt_cacertfile, lt->lt_cacertdir ) )
{
Debug( LDAP_DEBUG_ANY, "TLS: "
"could not load verify locations (file:`%s',dir:`%s').\n",