Commit Graph

19685 Commits

Author SHA1 Message Date
Pierangelo Masarati
e080ba6e9d honor TIMEOUT when appropriate (ITS#7009); also honor timelimit (was broken) 2011-08-10 22:40:49 +02:00
Pierangelo Masarati
6b74e9002b make sure 2-arg statements have exactly 2 args (related to ITS#7012) 2011-08-10 20:26:59 +02:00
Pierangelo Masarati
55c70629aa TLS config statements always need an argument (related to ITS#7012) 2011-08-10 20:26:59 +02:00
Howard Chu
a31a8ed20e ITS#6999 fix syncrepl timeout in refreshAndPersist 2011-07-29 13:05:45 -07:00
Rich Megginson
210b156ece ITS#7002 MozNSS: fix VerifyCert allow/try behavior
If the olcTLSVerifyClient is set to a value other than "never", the server
should request that the client send a client certificate for possible use
with client cert auth (e.g. SASL/EXTERNAL).
If set to "allow", if the client sends a cert, and there are problems with
it, the server will warn about problems, but will allow the SSL session to
proceed without a client cert.
If set to "try", if the client sends a cert, and there are problems with
it, the server will warn about those problems, and shutdown the SSL session.
If set to "demand" or "hard", the client must send a cert, and the server
will shutdown the SSL session if there are problems.
I added a new member of the tlsm context structure - tc_warn_only - if this
is set, tlsm_verify_cert will only warn about errors, and only if TRACE
level debug is set.  This allows the server to warn but allow bad certs
if "allow" is set, and warn and fail if "try" is set.
2011-07-28 14:09:55 -07:00
Rich Megginson
fb4b4f7445 ITS#7001 MozNSS: free the return of tlsm_find_and_verify_cert_key
If tlsm_find_and_verify_cert_key finds the cert and/or key, and it fails
to verify them, it will leave them allocated for the caller to dispose of.
There were a couple of places that were not disposing of the cert and key
upon error.
2011-07-28 14:00:15 -07:00
Howard Chu
ff7acea2d2 ITS#7000 fix bad patch in ITS#6472 2011-07-28 13:52:47 -07:00
Howard Chu
890d4c6216 ITS#7003 fix typo 2011-07-28 13:48:08 -07:00
Jan Vcelak
e8ac17e17c ITS#6998 MozNSS: when cert not required, ignore issuer expiration
When server certificate is not required in a TLS session (e.g.
TLS_REQCERT is set to 'never'), ignore expired issuer certificate error
and do not terminate the connection.
2011-07-21 11:59:06 -07:00
Howard Chu
8eecc9a017 Only return requested attrs in sssvlv response 2011-07-18 12:53:23 -07:00
Howard Chu
db106f89e6 ITS#6985 fix sssvlv target offset, ordering match 2011-07-18 12:41:51 -07:00
Pierangelo Masarati
c86677ef41 blind fix build on solaris native compilers (ITS#6992) 2011-07-08 08:48:59 +02:00
Pierangelo Masarati
c0b669e14f fix config emit (ITS#6986) 2011-07-07 08:16:23 +02:00
Howard Chu
c02e681121 ITS#6982 fix md5 memset invocation 2011-07-01 22:55:06 -07:00
Pierangelo Masarati
8df4c357be authTimestamp should be manageable (ITS#6873) 2011-06-30 21:55:28 +02:00
Pierangelo Masarati
92f4a3b2a7 response tag is [1] according to RFC 2589 (ITS#6886) 2011-06-30 21:24:12 +02:00
Rich Megginson
d944920fd3 ITS#6980 free the result of SSL_PeerCertificate
In tlsm_auth_cert_handler, we get the peer's cert from the socket using
SSL_PeerCertificate.  This value is allocated and/or cached.  We must
destroy it using CERT_DestroyCertificate.
2011-06-29 16:56:26 -07:00
Howard Chu
7ee3dee647 ITS#6828 set ld_errno on connect failures 2011-06-27 18:43:31 -07:00
Rein Tollevik
ffa8eca405 Merge branch 'master' of ssh://git-master.openldap.org/~git/git/openldap 2011-06-27 14:21:35 +02:00
Rein Tollevik
62861cae0e ITS#6716 Extend test where consumer/provider holds CSNs with differing SIDs. 2011-06-27 14:17:39 +02:00
Howard Chu
230f433ec7 ITS#6872 re-enable test058 2011-06-27 04:48:25 -07:00
Howard Chu
ebf07016ef ITS#6872 fix test058 breakage from prev patch 2011-06-27 04:46:43 -07:00
Howard Chu
052ac2f64a ITS#6828 silence warning in prev commit 2011-06-24 18:03:11 -07:00
Howard Chu
d76be4828c ITS#6977 fix verbose check in client tools 2011-06-23 17:10:37 -07:00
Howard Chu
d0973003f7 ITS#6978 bail out on invalid input 2011-06-23 13:17:08 -07:00
Howard Chu
b1f26a8b17 Fix NO_THREADS typo 2011-06-22 20:03:24 -07:00
Quanah Gibson-Mount
15ae0134ee Disable test058 until it someone can track down what's wrong with it 2011-06-22 15:16:08 -07:00
Howard Chu
b0fcec8d65 ITS#6716 Use sorted CSNs in syncrepl too 2011-06-22 00:32:00 -07:00
Howard Chu
6da3e3473c ITS#6716 use sorted CSNs, fix sessionlog
track a CSN per SID in the log->sl_mincsn
2011-06-22 00:30:13 -07:00
Howard Chu
249422aa28 ITS#6716 Keep CSN lists sorted by SID 2011-06-21 22:35:14 -07:00
Howard Chu
ceefe132a8 ITS#6817 fix RE24 build breakage
Should SLAP_AUTH_DN be #defined in release now?
2011-06-21 17:05:53 -07:00
Rich Megginson
5e467e4899 ITS#6862 MozNSS - workaround PR_SetEnv bug 2011-06-21 15:58:49 -07:00
Rich Megginson
d78cf81648 ITS#6975 MozNSS - allow cacertdir in most cases
OpenLDAP built with OpenSSL allows most any value of cacertdir - directory
is a file, directory does not contain any CA certs, directory does not
exist - users expect if they specify TLS_REQCERT=never, no matter what
the TLS_CACERTDIR setting is, TLS/SSL will just work.
TLS_CACERT, on the other hand, is a hard error.  Even if TLS_REQCERT=never,
if TLS_CACERT is specified and is not a valid CA cert file, TLS/SSL will
fail.  This patch makes CACERT errors hard errors, and makes CACERTDIR
errors "soft" errors.  The code checks CACERT first and, even though
the function will return an error, checks CACERTDIR anyway so that if the
user sets TRACE mode they will get CACERTDIR processing messages.
2011-06-21 15:56:55 -07:00
Howard Chu
ae24a1a6ac ITS#6973 need limits_check if overlay is global 2011-06-21 02:40:38 -07:00
Jan Vcelak
65e163d268 ITS#6947 Handle missing '\n' termination in LDIF input 2011-06-20 18:18:34 -07:00
Ondrej Kuznik
6f43600731 ITS#6974 (Re)moving stray cleanup code. 2011-06-20 18:13:36 -07:00
Hallvard Furuseth
e25bce9124 Tweak back-ldif messages about CRC checksums. 2011-06-20 21:53:05 +02:00
Hallvard Furuseth
06fe436053 Cleanup back-ldif CRC code.
Handle interrupted write() again.  Fix warnings/types.  #ifdef LDAP_DEBUG.
2011-06-20 21:45:03 +02:00
Howard Chu
05ca8c3710 More fixes, add test script 2011-06-20 11:05:08 -07:00
Howard Chu
48cdd54d9a Fix missing si_syncCookie numcsns 2011-06-20 06:51:33 -07:00
Howard Chu
480f0c16ff More tweaks for delta-mmr 2011-06-20 04:27:11 -07:00
Howard Chu
67bbad6e70 delta-mmr conflict resolution 2011-06-19 20:14:03 -07:00
Howard Chu
237a686107 More for conflict detection 2011-06-19 20:13:59 -07:00
Howard Chu
95d7adcd6d Setup delta-mmr using an overlay 2011-06-19 20:13:51 -07:00
Ralf Haferkamp
1e4faaf1bd Additional getter methods for LDAPModification 2011-06-15 15:28:55 +02:00
Howard Chu
0a9f51f58d ITS#6657/6691 use proper SQL length data type 2011-06-13 13:54:56 -07:00
Quanah Gibson-Mount
9578bf0145 ITS#6971 correct option is --enable-wrappers 2011-06-13 13:46:01 -07:00
Howard Chu
de395ddad3 ITS#6944 limit op cache to 10 ops per thread 2011-06-10 03:27:40 -07:00
Howard Chu
9f7d119ce3 Add LDAP_OPT_X_TLS_PACKAGE
to return the name of the underlying TLS implementation
2011-06-10 02:11:26 -07:00
Howard Chu
329e7937e6 ITS#6892 shortcut for non-replicated ops 2011-06-10 01:44:30 -07:00