jvcelak@redhat.com wrote:

Full_Name: Jan Vcelak Version: git master OS: Linux URL: ftp://ftp.openldap.org/incoming/jvcelak-20120605-moznss-overwrite-error-in-tlsm-verify-cert.patch Submission from: (NULL) (209.132.186.34)

If the peer certificate verification fails and the certificate does not contain Basic Constraint Extension, wrong TLS error message is reported by the library. In addition, TLS_REQCERT=never does not work in this situation. This is caused by overwriting the original error code in tlsm_verify_cert() function.

Attached patch fixes this behavior.

Applied to master.

Old version:

$ ldapsearch -x -ZZ ldap_start_tls: Connect error (-11) additional info: TLS error -8157:Certificate extension not found.

Fixed version:

$ ldapsearch -x -ZZ ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.

The attached file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in the following patch(es) were developed by Red Hat. Red Hat has not assigned rights and/or interest in this work to any party. I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under the following terms.

Red Hat hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.