Patchwork [07/13] libnsdb: Use correct TLS options

login
register
mail settings
Submitter Chuck Lever
Date Jan. 8, 2013, 5:28 p.m.
Message ID <20130108172808.65133.62891.stgit@seurat.1015granger.net>
Download mbox | patch
Permalink /patch/210454/
State Accepted
Headers show

Comments

Chuck Lever - Jan. 8, 2013, 5:28 p.m.
Use the CACERTFILE option, not the CERTFILE option when specifying
our certificate file.  This will cause the SSL library to use only
the certificates specified in that file, rather than searching
globally on the local system.

LDAP_OPT_X_TLS_REQUIRE_CERT and LDAP_OPT_X_TLS_CACERTFILE must be
set on the global LDAP descriptor.  This is because the LDAP
descriptor's SSL/TLS context is initialized from the global
descriptor's settings.

Without these two fixes, STARTTLS does not work.  Introduced in
commit 0520ee72 "Initial commit" Tue Mar 29 15:37:40 2011.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---

 src/libnsdb/ldap.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

Patch

diff --git a/src/libnsdb/ldap.c b/src/libnsdb/ldap.c
index 5916c19..cec593e 100644
--- a/src/libnsdb/ldap.c
+++ b/src/libnsdb/ldap.c
@@ -575,7 +575,7 @@  nsdb_start_tls(LDAP *ld, const char *certfile, unsigned int *ldap_err)
 		return FEDFS_ERR_INVAL;
 	xlog(D_CALL, "%s: Using certfile %s", __func__, certfile);
 
-	rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, certfile);
+	rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, certfile);
 	if (rc != LDAP_OPT_SUCCESS) {
 		xlog(D_GENERAL, "%s: Failed to set NSDB certificate: %s",
 				__func__, ldap_err2string(rc));
@@ -583,7 +583,7 @@  nsdb_start_tls(LDAP *ld, const char *certfile, unsigned int *ldap_err)
 	}
 
 	value = LDAP_OPT_X_TLS_HARD;
-	rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &value);
+	rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &value);
 	if (rc != LDAP_OPT_SUCCESS) {
 		xlog(D_GENERAL, "%s: Failed to set "
 				"LDAP_OPT_X_TLS_REQUIRE_CERT: %s",