Hi,
When openldap is linked with gnutls for TLS support, a file containing CRL in PEM format can be provided (in slapd.conf, using TLSCRLFile parameter).
The following code in ldap_int_tls_init_ctx() (librairies/libldap/tls.c) prevents the daemon to start when the option is used:
if ( lo->ldo_tls_crlfile ) { rc = gnutls_certificate_set_x509_crl_file( ((tls_ctx*) lo->ldo_tls_ctx)->cred, crlfile, GNUTLS_X509_FMT_PEM ); if ( rc < 0 ) goto error_exit; }
because gnutls_certificate_set_x509_crl_file() returns the number of CRL files that have been imported which is stored in rc and returned later in the function. Caller expects 0, otherwise it reports an error, the value of rc (below, with 3 CRL in the file) and slapd fails to start:
.... main TLS init def ctx failed: 3
The patch below is for 2.4.10, but should apply against all versions (it applies fine against current Debian version available under Unstable). Tell me if you have issues.
I recompiled the Debian version with the patch applied and it works as expected.
Cheers,
a+
--On Tuesday, June 24, 2008 6:00 PM +0200 Arnaud Ebalard arno@natisbad.org wrote:
Hi,
When openldap is linked with gnutls for TLS support, a file containing CRL in PEM format can be provided (in slapd.conf, using TLSCRLFile parameter).
Generally, one should use the ITS system (http://www.openldap.org/its/) to file issue reports and patches. This allows us to easily document by ITS# changes made to the next release.
Please see: http://www.openldap.org/devel/contributing.html as well.
Thanks!
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Thanks for the info, but please submit this to the ITS so that it may be tracked.
Arnaud Ebalard wrote:
Hi,
When openldap is linked with gnutls for TLS support, a file containing CRL in PEM format can be provided (in slapd.conf, using TLSCRLFile parameter).
The following code in ldap_int_tls_init_ctx() (librairies/libldap/tls.c) prevents the daemon to start when the option is used:
if ( lo->ldo_tls_crlfile ) { rc = gnutls_certificate_set_x509_crl_file( ((tls_ctx*) lo->ldo_tls_ctx)->cred, crlfile, GNUTLS_X509_FMT_PEM ); if ( rc< 0 ) goto error_exit; }because gnutls_certificate_set_x509_crl_file() returns the number of CRL files that have been imported which is stored in rc and returned later in the function. Caller expects 0, otherwise it reports an error, the value of rc (below, with 3 CRL in the file) and slapd fails to start:
.... main TLS init def ctx failed: 3The patch below is for 2.4.10, but should apply against all versions (it applies fine against current Debian version available under Unstable). Tell me if you have issues.
I recompiled the Debian version with the patch applied and it works as expected.
Cheers,
a+
-
arno@natisbad.org -
Howard Chu -
Quanah Gibson-Mount