return "";
}
+static void
+tlsm_handshake_complete_cb( PRFileDesc *fd, void *client_data )
+{
+ tlsm_dump_security_status( fd );
+}
+
#ifdef READ_PASSWORD_FROM_FILE
static char *
tlsm_get_pin_from_file(const char *token_name, tlsm_ctx *ctx)
{
SECStatus ret = SSL_AuthCertificate(arg, fd, checksig, isServer);
- tlsm_dump_security_status( fd );
- Debug( LDAP_DEBUG_TRACE,
- "TLS certificate verification: %s\n",
- ret == SECSuccess ? "ok" : "bad", 0, 0 );
-
if ( ret != SECSuccess ) {
PRErrorCode errcode = PORT_GetError();
- Debug( LDAP_DEBUG_ANY,
- "TLS certificate verification: Error, %d: %s\n",
- errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ) ;
+ /* we bypass NSS's hostname checks and do our own - tlsm_session_chkhost will handle it */
+ if ( errcode == SSL_ERROR_BAD_CERT_DOMAIN ) {
+ Debug( LDAP_DEBUG_TRACE,
+ "TLS certificate verification: defer\n",
+ 0, 0, 0 );
+ } else {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS certificate verification: Error, %d: %s\n",
+ errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ) ;
+ }
+ } else {
+ Debug( LDAP_DEBUG_TRACE,
+ "TLS certificate verification: ok\n",
+ 0, 0, 0 );
}
return ret;
PRStatus status = PR_FAILURE;
PRErrorCode errcode = PR_SUCCESS;
+ if ( !cacertfile && !cacertdir ) {
+ /* no checking - not good, but allowed */
+ return 0;
+ }
+
if ( cacertfile ) {
int rc = tlsm_add_cert_from_file( ctx, cacertfile, isca );
if ( rc ) {
if ( rc != SECSuccess ) {
errcode = PORT_GetError();
- Debug( LDAP_DEBUG_TRACE,
- "TLS: could not initialize moznss using security dir %s prefix %s - error %d.\n",
- realcertdir, prefix, errcode );
+ if ( securitydirs[ii] != lt->lt_cacertdir) {
+ Debug( LDAP_DEBUG_TRACE,
+ "TLS: could not initialize moznss using security dir %s prefix %s - error %d.\n",
+ realcertdir, prefix, errcode );
+ }
} else {
/* success */
Debug( LDAP_DEBUG_TRACE, "TLS: using moznss security dir %s prefix %s.\n",
}
if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) {
+ /* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode
+ will be a value other than 1 - print an error message so that the
+ user will know that failed too */
+ if ( ( errcode != 1 ) && ( lt->lt_cacertdir ) ) {
+ char *realcertdir = NULL;
+ char *prefix = NULL;
+ tlsm_get_certdb_prefix( lt->lt_cacertdir, &realcertdir, &prefix );
+ Debug( LDAP_DEBUG_TRACE,
+ "TLS: could not initialize moznss using security dir %s prefix %s - error %d.\n",
+ realcertdir, prefix ? prefix : "", errcode );
+ if ( realcertdir != lt->lt_cacertdir ) {
+ PL_strfree( realcertdir );
+ }
+ PL_strfree( prefix );
+ }
return -1;
}
return -1;
}
+ if ( SSL_HandshakeCallback( ctx->tc_model, tlsm_handshake_complete_cb, ctx ) ) {
+ PRErrorCode err = PR_GetError();
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: error: could not set handshake callback for moznss - error %d:%s\n",
+ err, PR_ErrorToString( err, PR_LANGUAGE_I_DEFAULT ), NULL );
+ return -1;
+ }
+
return 0;
}
projects / openldap / commitdiff