git.sur5r.net Git - openldap/commit

author	Rich Megginson <rmeggins@redhat.com>
	Thu, 28 Jul 2011 21:08:37 +0000 (14:08 -0700)
committer	Quanah Gibson-Mount <quanah@openldap.org>
	Wed, 5 Oct 2011 23:41:07 +0000 (16:41 -0700)
commit	734ba5e12fef421a3b5287e2711e6f202804f1be
tree	149441b5f084ea4cc6b839a8d83ba3d40ef2a0d1	tree \| snapshot
parent	2864c9c31635a858effd91326a5ab4b07cb9405a	commit \| diff

ITS#7002 MozNSS: fix VerifyCert allow/try behavior

If the olcTLSVerifyClient is set to a value other than "never", the server
should request that the client send a client certificate for possible use
with client cert auth (e.g. SASL/EXTERNAL).
If set to "allow", if the client sends a cert, and there are problems with
it, the server will warn about problems, but will allow the SSL session to
proceed without a client cert.
If set to "try", if the client sends a cert, and there are problems with
it, the server will warn about those problems, and shutdown the SSL session.
If set to "demand" or "hard", the client must send a cert, and the server
will shutdown the SSL session if there are problems.
I added a new member of the tlsm context structure - tc_warn_only - if this
is set, tlsm_verify_cert will only warn about errors, and only if TRACE
level debug is set. This allows the server to warn but allow bad certs
if "allow" is set, and warn and fail if "try" is set.