From e3affc71e05b33bfac43833c7b95fd7b7c3188f8 Mon Sep 17 00:00:00 2001 From: Howard Guo Date: Thu, 10 Nov 2016 15:39:03 +0100 Subject: [PATCH] ITS#8529 Avoid hiding the error if user specified CA does not load The TLS configuration deliberately hid the error in case that user specified CA locations cannot be read, by loading CAs from default locations; and when user does not specify CA locations, the CAs from default locations are not read at all. This patch corrects the behaviour so that CAs from default location are used if user does not specify a CA location, and user is informed of the error if CAs cannot be loaded from the user specified location. --- libraries/libldap/tls_o.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c index e96f07c228..0e47ec3563 100644 --- a/libraries/libldap/tls_o.c +++ b/libraries/libldap/tls_o.c @@ -257,10 +257,16 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) return -1; } - if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) { + if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) { + if ( !SSL_CTX_set_default_verify_paths( ctx ) ) { + Debug( LDAP_DEBUG_ANY, "TLS: " + "could not use default certificate paths", 0, 0, 0 ); + tlso_report_error(); + return -1; + } + } else { if ( !SSL_CTX_load_verify_locations( ctx, - lt->lt_cacertfile, lt->lt_cacertdir ) || - !SSL_CTX_set_default_verify_paths( ctx ) ) + lt->lt_cacertfile, lt->lt_cacertdir ) ) { Debug( LDAP_DEBUG_ANY, "TLS: " "could not load verify locations (file:`%s',dir:`%s').\n", -- 2.39.2