From patchwork Tue Jan  8 17:28:08 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chuck Lever <chuck.lever@oracle.com>
X-Patchwork-Id: 210454
Return-Path: <fedfs-utils-devel-bounces@oss.oracle.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client CN "aserp1040.oracle.com",
	Issuer "VeriSign Class 3 International Server CA - G3" (not
	verified)) by ozlabs.org (Postfix) with ESMTPS id 0C8AE2C0085
	for <incoming@patchwork.ozlabs.org>;
	Wed,  9 Jan 2013 04:28:16 +1100 (EST)
Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238])
	by aserp1040.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2)
	with ESMTP id r08HSDDY007578
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
	Tue, 8 Jan 2013 17:28:14 GMT
Received: from oss.oracle.com (oss-external.oracle.com [137.254.96.51])
	by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	r08HSDYZ009341
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Tue, 8 Jan 2013 17:28:13 GMT
Received: from localhost ([127.0.0.1] helo=oss.oracle.com)
	by oss.oracle.com with esmtp (Exim 4.63)
	(envelope-from <fedfs-utils-devel-bounces@oss.oracle.com>)
	id 1TscyD-0001I4-Ea; Tue, 08 Jan 2013 09:28:13 -0800
Received: from acsinet21.oracle.com ([141.146.126.237])
	by oss.oracle.com with esmtp (Exim 4.63)
	(envelope-from <chucklever@gmail.com>) id 1TscyB-0001Hw-7T
	for fedfs-utils-devel@oss.oracle.com; Tue, 08 Jan 2013 09:28:11 -0800
Received: from aserp1020.oracle.com (aserp1020.oracle.com [141.146.126.67])
	by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id
	r08HSAd2009537
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <fedfs-utils-devel@oss.oracle.com>; Tue, 8 Jan 2013 17:28:11 GMT
Received: from mail-ia0-f173.google.com (mail-ia0-f173.google.com
	[209.85.210.173])
	by aserp1020.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with
	ESMTP id r08HS9cv023971
	(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=OK)
	for <fedfs-utils-devel@oss.oracle.com>; Tue, 8 Jan 2013 17:28:10 GMT
Received: by mail-ia0-f173.google.com with SMTP id w21so579189iac.4
	for <fedfs-utils-devel@oss.oracle.com>;
	Tue, 08 Jan 2013 09:28:09 -0800 (PST)
X-Received: by 10.50.56.232 with SMTP id d8mr9871826igq.112.1357666089784;
	Tue, 08 Jan 2013 09:28:09 -0800 (PST)
Received: from seurat.1015granger.net
	(adsl-99-26-161-222.dsl.sfldmi.sbcglobal.net. [99.26.161.222])
	by mx.google.com with ESMTPS id
	xn10sm10241651igb.4.2013.01.08.09.28.08
	(version=TLSv1 cipher=RC4-SHA bits=128/128);
	Tue, 08 Jan 2013 09:28:09 -0800 (PST)
From: Chuck Lever <chuck.lever@oracle.com>
To: fedfs-utils-devel@oss.oracle.com
Date: Tue, 08 Jan 2013 12:28:08 -0500
Message-ID: <20130108172808.65133.62891.stgit@seurat.1015granger.net>
In-Reply-To: <20130108172057.65133.25145.stgit@seurat.1015granger.net>
References: <20130108172057.65133.25145.stgit@seurat.1015granger.net>
User-Agent: StGIT/0.14.3
MIME-Version: 1.0
X-Flow-Control-Info: class=Default reputation=ipRepBelow100 ip=209.85.210.173
	ct-class=R5 ct-vol1=-85 ct-vol2=8 ct-vol3=7 ct-risk=50
	ct-spam1=78 ct-spam2=7 ct-bulk=6 rcpts=1 size=1692
X-MM-CT-Classification: not spam
X-MM-CT-RefID: str=0001.0A090205.50EC572A.00F7,ss=1,re=0.000,fgs=0
Subject: [fedfs-utils] [PATCH 07/13] libnsdb: Use correct TLS options
X-BeenThere: fedfs-utils-devel@oss.oracle.com
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: fedfs-utils Developers <fedfs-utils-devel@oss.oracle.com>
List-Id: fedfs-utils Developers <fedfs-utils-devel.oss.oracle.com>
List-Unsubscribe: <https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel>,
	<mailto:fedfs-utils-devel-request@oss.oracle.com?subject=unsubscribe>
List-Archive: <http://oss.oracle.com/pipermail/fedfs-utils-devel>
List-Post: <mailto:fedfs-utils-devel@oss.oracle.com>
List-Help: <mailto:fedfs-utils-devel-request@oss.oracle.com?subject=help>
List-Subscribe: <https://oss.oracle.com/mailman/listinfo/fedfs-utils-devel>,
	<mailto:fedfs-utils-devel-request@oss.oracle.com?subject=subscribe>
Sender: fedfs-utils-devel-bounces@oss.oracle.com
Errors-To: fedfs-utils-devel-bounces@oss.oracle.com
X-Source-IP: acsinet22.oracle.com [141.146.126.238]

Use the CACERTFILE option, not the CERTFILE option when specifying
our certificate file.  This will cause the SSL library to use only
the certificates specified in that file, rather than searching
globally on the local system.

LDAP_OPT_X_TLS_REQUIRE_CERT and LDAP_OPT_X_TLS_CACERTFILE must be
set on the global LDAP descriptor.  This is because the LDAP
descriptor's SSL/TLS context is initialized from the global
descriptor's settings.

Without these two fixes, STARTTLS does not work.  Introduced in
commit 0520ee72 "Initial commit" Tue Mar 29 15:37:40 2011.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---

 src/libnsdb/ldap.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/libnsdb/ldap.c b/src/libnsdb/ldap.c
index 5916c19..cec593e 100644
--- a/src/libnsdb/ldap.c
+++ b/src/libnsdb/ldap.c
@@ -575,7 +575,7 @@ nsdb_start_tls(LDAP *ld, const char *certfile, unsigned int *ldap_err)
 		return FEDFS_ERR_INVAL;
 	xlog(D_CALL, "%s: Using certfile %s", __func__, certfile);
 
-	rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, certfile);
+	rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, certfile);
 	if (rc != LDAP_OPT_SUCCESS) {
 		xlog(D_GENERAL, "%s: Failed to set NSDB certificate: %s",
 				__func__, ldap_err2string(rc));
@@ -583,7 +583,7 @@ nsdb_start_tls(LDAP *ld, const char *certfile, unsigned int *ldap_err)
 	}
 
 	value = LDAP_OPT_X_TLS_HARD;
-	rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &value);
+	rc = ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, &value);
 	if (rc != LDAP_OPT_SUCCESS) {
 		xlog(D_GENERAL, "%s: Failed to set "
 				"LDAP_OPT_X_TLS_REQUIRE_CERT: %s",