[07/13] libnsdb: Use correct TLS options

Message ID 20130108172808.65133.62891.stgit@seurat.1015granger.net
State Accepted
Headers show

Commit Message

Chuck Lever Jan. 8, 2013, 5:28 p.m.
Use the CACERTFILE option, not the CERTFILE option when specifying
our certificate file.  This will cause the SSL library to use only
the certificates specified in that file, rather than searching
globally on the local system.

set on the global LDAP descriptor.  This is because the LDAP
descriptor's SSL/TLS context is initialized from the global
descriptor's settings.

Without these two fixes, STARTTLS does not work.  Introduced in
commit 0520ee72 "Initial commit" Tue Mar 29 15:37:40 2011.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

 src/libnsdb/ldap.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)


diff --git a/src/libnsdb/ldap.c b/src/libnsdb/ldap.c
index 5916c19..cec593e 100644
--- a/src/libnsdb/ldap.c
+++ b/src/libnsdb/ldap.c
@@ -575,7 +575,7 @@  nsdb_start_tls(LDAP *ld, const char *certfile, unsigned int *ldap_err)
 		return FEDFS_ERR_INVAL;
 	xlog(D_CALL, "%s: Using certfile %s", __func__, certfile);
-	rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, certfile);
+	rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, certfile);
 	if (rc != LDAP_OPT_SUCCESS) {
 		xlog(D_GENERAL, "%s: Failed to set NSDB certificate: %s",
 				__func__, ldap_err2string(rc));
@@ -583,7 +583,7 @@  nsdb_start_tls(LDAP *ld, const char *certfile, unsigned int *ldap_err)
 	value = LDAP_OPT_X_TLS_HARD;
-	rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &value);
+	rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &value);
 	if (rc != LDAP_OPT_SUCCESS) {
 		xlog(D_GENERAL, "%s: Failed to set "