[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#6131) "TLSVerifyClient try" not working with GNU TLS

To: openldap-its@OpenLDAP.org
Subject: (ITS#6131) "TLSVerifyClient try" not working with GNU TLS
From: subbarao@computer.org
Date: Wed, 20 May 2009 15:41:40 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Kartik Subbarao
Version: 2.4.16
OS: Debian 5.0.1
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (76.99.175.5)


When TLSVerifyClient is set to "try", OpenLDAP improperly rejects SSL
connections without a client certificate. The problem appears to start with this
section of code in tls.c around line 1564:

#ifdef HAVE_GNUTLS
    if ( ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
        err = tls_cert_verify( ssl );
        if ( err && ld->ld_options.ldo_tls_require_cert != LDAP_OPT_X_TLS_ALLOW
)
            return err;
    }
#endif

tls_cert_verify() calls gnutls_certificate_verify_peers2(), which appears to
return error 49 when no client certificate is presented. tls_cert_verify()
doesn't seem to distinguish between this case, and the case of an invalid client
certificate, returning -1 in both cases.

Prev by Date: Re: (ITS#6129) slapd seg faults on shut-down
Next by Date: (ITS#6132) slapi_entry_has_children broken
Index(es):
- Chronological
- Thread