From df1d118de82bb72a6124143a7503fdc3fd426483 Mon Sep 17 00:00:00 2001 From: Jan Vcelak Date: Fri, 18 May 2012 12:11:51 +0200 Subject: [PATCH] ITS#7276 MozNSS: allow CA certdb together with PEM CA bundle file Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate database and TLS_CACERT was set to a PEM bundle file with CA certificates, the PEM file content was not loaded. With this patch and the same settings, OpenLDAP can verify certificates which are signed by CAs stored both in certdb and PEM bundle file. --- libraries/libldap/tls_m.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c index 50c03dd6ea..23d843c0ec 100644 --- a/libraries/libldap/tls_m.c +++ b/libraries/libldap/tls_m.c @@ -1683,18 +1683,28 @@ tlsm_deferred_init( void *arg ) ctx->tc_initctx = initctx; #endif + } + + if ( errcode || lt->lt_cacertfile ) { /* initialize the PEM module */ LDAP_MUTEX_LOCK( &tlsm_init_mutex ); if ( tlsm_init_pem_module() ) { LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); - errcode = PORT_GetError(); + int pem_errcode = PORT_GetError(); Debug( LDAP_DEBUG_ANY, "TLS: could not initialize moznss PEM module - error %d:%s.\n", - errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); - return -1; + pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 ); + + if ( errcode ) /* PEM is required */ + return -1; + + } else if ( !errcode ) { + tlsm_init_ca_certs( ctx, lt->lt_cacertfile, NULL ); } LDAP_MUTEX_UNLOCK( &tlsm_init_mutex ); + } + if ( errcode ) { if ( tlsm_init_ca_certs( ctx, lt->lt_cacertfile, lt->lt_cacertdir ) ) { /* if we tried to use lt->lt_cacertdir as an NSS key/cert db, errcode will be a value other than 1 - print an error message so that the -- 2.39.5