/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software <http://www.openldap.org/>.
*
- * Copyright 2008-2017 The OpenLDAP Foundation.
+ * Copyright 2008-2018 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
(ciphers_def[i].strength & strength) ||
(ciphers_def[i].version & protocol)) &&
(cipher_list[i] != -1)) {
- /* Enable the NULL ciphers only if explicity
+ /* Enable the NULL ciphers only if explicitly
* requested */
if (ciphers_def[i].attr & SSL_eNULL) {
if (mask & SSL_eNULL)
return ret;
}
+static PRCallOnceType tlsm_register_shutdown_callonce = {0,0};
+
static SECStatus
tlsm_nss_shutdown_cb( void *appData, void *nssData )
{
SECMOD_DestroyModule( pem_module );
pem_module = NULL;
}
+
+ /* init callonce so it can be armed again for cases like persistent daemon with LDAP_OPT_X_TLS_NEWCTX */
+ tlsm_register_shutdown_callonce.initialized = 0;
+ tlsm_register_shutdown_callonce.inProgress = 0;
+ tlsm_register_shutdown_callonce.status = 0;
+
return rc;
}
-static PRCallOnceType tlsm_register_shutdown_callonce = {0,0};
static PRStatus PR_CALLBACK
tlsm_register_nss_shutdown_cb( void )
{
/* prefer unlocked key, then key from opened certdb, then any other */
if ( unlocked_key )
ctx->tc_private_key = unlocked_key;
- else if ( ctx->tc_certdb_slot )
+ else if ( ctx->tc_certdb_slot && !ctx->tc_using_pem )
ctx->tc_private_key = PK11_FindKeyByDERCert( ctx->tc_certdb_slot, ctx->tc_certificate, pin_arg );
else
ctx->tc_private_key = PK11_FindKeyByAnyCert( ctx->tc_certificate, pin_arg );
}
/*
- * Currently mutiple MozNSS contexts share one certificate storage. When the
+ * Currently multiple MozNSS contexts share one certificate storage. When the
* certdb is being opened, only new certificates are added to the storage.
* When different databases are used, conflicting nicknames make the
* certificate lookup by the nickname impossible. In addition a token
}
return -1;
}
-
- ctx->tc_using_pem = PR_TRUE;
}
/*
/* set up our cert and key, if any */
if ( lt->lt_certfile ) {
- /* if using the PEM module, load the PEM file specified by lt_certfile */
- /* otherwise, assume this is the name of a cert already in the db */
- if ( ctx->tc_using_pem ) {
- /* this sets ctx->tc_certificate to the correct value */
- int rc = tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE );
- if ( rc ) {
- return rc;
- }
- } else {
+
+ /* first search in certdb (lt_certfile is nickname) */
+ if ( ctx->tc_certdb ) {
char *tmp_certname;
if ( tlsm_is_tokenname_certnick( lt->lt_certfile )) {
Debug( LDAP_DEBUG_ANY,
"TLS: error: the certificate '%s' could not be found in the database - error %d:%s.\n",
lt->lt_certfile, errcode, PR_ErrorToString( errcode, PR_LANGUAGE_I_DEFAULT ) );
+ }
+ }
+
+ /* fallback to PEM module (lt_certfile is filename) */
+ if ( !ctx->tc_certificate ) {
+ if ( !pem_module && tlsm_init_pem_module() ) {
+ int pem_errcode = PORT_GetError();
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: fallback to PEM impossible, module cannot be loaded - error %d:%s.\n",
+ pem_errcode, PR_ErrorToString( pem_errcode, PR_LANGUAGE_I_DEFAULT ), 0 );
return -1;
}
+
+ /* this sets ctx->tc_certificate to the correct value */
+ if ( !tlsm_add_cert_from_file( ctx, lt->lt_certfile, PR_FALSE ) ) {
+ ctx->tc_using_pem = PR_TRUE;
+ }
+ }
+
+ if ( ctx->tc_certificate ) {
+ Debug( LDAP_DEBUG_ANY,
+ "TLS: certificate '%s' successfully loaded from %s.\n", lt->lt_certfile,
+ ctx->tc_using_pem ? "PEM file" : "moznss database", 0);
+ } else {
+ return -1;
}
}
tlsm_session_version,
tlsm_session_cipher,
tlsm_session_peercert,
+ NULL,
&tlsm_sbio,
projects / openldap / blobdiff