[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7276) [PATCH] MozNSS: allow CA certdb together with PEM CA bundle file
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7276) [PATCH] MozNSS: allow CA certdb together with PEM CA bundle file
- From: hyc@symas.com
- Date: Wed, 30 May 2012 13:20:19 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
jvcelak@redhat.com wrote:
> Full_Name: Jan Vcelak
> Version: master
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/jvcelak-20120518-update-nss-allow-ca-certdb-with-pem-ca-bundle.patch
> Submission from: (NULL) (209.132.186.34)
>
>
> With Mozilla NSS crypto backend:
>
> Prior to this patch, if TLS_CACERTDIR was set to Mozilla NSS certificate
> database and TLS_CACERT was set to a PEM bundle file with CA
> certificates, the PEM file content was not loaded.
>
> With this patch and the same settings, OpenLDAP can verify certificates
> which are signed by CAs stored both in certdb and PEM bundle file.
Thanks for the patch, added to master.
>
> This problem was found with FreeIPA which is setting CA PEM bundle using
> ldap_set_option(&ld, LDAP_OPT_X_TLS_CACERTFILE, ...), while TLS_CACERTDIR with
> certdb is set in system ldap.conf file.
>
>
> The attached file is derived from OpenLDAP Software. All of the modifications to
> OpenLDAP Software represented in the following patch(es) were developed by Red
> Hat. Red Hat has not assigned rights and/or interest in this work to any party.
> I, Jan Vcelak am authorized by Red Hat, my employer, to release this work under
> the following terms.
>
> Red Hat hereby place the following modifications to OpenLDAP Software (and only
> these modifications) into the public domain. Hence, these modifications may be
> freely used and/or redistributed for any purpose with or without attribution
> and/or other notice.
>
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/