https://bugzilla.novell.com/show_bug.cgi?id=757715 https://bugzilla.novell.com/show_bug.cgi?id=757715#c2 Ralf Haferkamp <rhafer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lnussel@suse.com --- Comment #2 from Ralf Haferkamp <rhafer@suse.com> 2012-04-18 13:50:56 CEST ---
The code in libraries/libldap/tls_o.c (or libraries/libldap/tls.c) has a rather weird logic. It tries to set the specified cafile/cadir and if that fails uses openssl's defaults (SSL_CTX_set_default_verify_paths). So if nothing is specified it doesn't use any cafile/cadir. It's even more weird it only calls SSL_CTX_set_default_verify_paths when SSL_CTX_load_verify_locations succeeds. The man-page says SSL_CTX_load_verify_locations return 1 in case of success and 0 in case of failure. We discussed this already 2 years ago. And found out that many other programms use exactly the same code. E.g. postfix (at least back when I checked last time) and cyrus-imapd. The code in OpenLDAP almost an exact copy from openssl's s_client code. For which you even filed an upstream bug: http://rt.openssl.org/Ticket/Display.html?id=2203&user=guest&pass=guest There was however no reaction on that report ;(
For OpenLDAP there is also an upstream bugreport report: http://www.openldap.org/its/index.cgi?findid=5582 There seems to be the agreement not to change the current behavior within the 2.4 release of OpenLDAP. There seem to be clients out there relying on this behavior (which I agree is somewhat broken)
I think the code should be modified to use defaults if nothing is specified and fail if an explicitly specified cafile/cadir cannot be loaded. I'd rather go with what upstream does here. As they are already aware of the weirdness and decided to address this in the next bigger release (2.5).
That way no config change is needed at all (although adding an example line can't hurt either). Ok, adding the example line is not a big deal I can do that.
The question remains how we'll address all the other packages that use this weird logic? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.