subbarao@computer.org wrote:
Full_Name: Kartik Subbarao Version: 2.4.16 OS: Debian 5.0.1 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (76.99.175.5)
When TLSVerifyClient is set to "try", OpenLDAP improperly rejects SSL connections without a client certificate. The problem appears to start with this section of code in tls.c around line 1564:
#ifdef HAVE_GNUTLS if ( ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) { err = tls_cert_verify( ssl ); if ( err&& ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW ) return err; } #endif
tls_cert_verify() calls gnutls_certificate_verify_peers2(), which appears to return error 49 when no client certificate is presented. tls_cert_verify() doesn't seem to distinguish between this case, and the case of an invalid client certificate, returning -1 in both cases.
This bug report makes no sense; the code you quoted is not part of OpenLDAP 2.4.16. The relevant code is in function tlsg_session_accept() in tls_g.c, and there is no such bug in that function.