Add patch 0001-un-break-certificate-verification.patch,
taken from upstream's "next" branch (commits a3c4f7f from Peter Marschall
and db0b090 from Graham Barr): un-break certificate verification.
Closes: #640883
gregor herrmann
12 years ago
0 | From a3c4f7fe85129b036d915c9064752d9b542ad803 Mon Sep 17 00:00:00 2001 | |
1 | From: Peter Marschall <peter@adpm.de> | |
2 | Date: Wed, 7 Sep 2011 13:21:48 +0200 | |
3 | Subject: [PATCH] un-break certificate verification | |
4 | ||
5 | Commit 041d540 "Specify that we want to use the 'ldap' scheme to verify | |
6 | certificates" unconditionally set IO:Socket::SSL's SSL_verify_cn_scheme | |
7 | 'ldap'. | |
8 | ||
9 | In principle this is a good thing: it allows to verify whether the name of | |
10 | the host we connect to matches the host name in the certificate presented. | |
11 | ||
12 | But doing it unconditionally led to some trouble: | |
13 | * it broke $ldap->start_tls() completely. | |
14 | see SSL_verifycn_name in IO::Socket::SSL(3) for why | |
15 | * in the case of sslverify = 'none' it created a warning | |
16 | on every connect. | |
17 | ||
18 | This commit fixes both issues. | |
19 | --- | |
20 | lib/Net/LDAP.pm | 11 ++++++++++- | |
21 | 1 files changed, 10 insertions(+), 1 deletions(-) | |
22 | ||
23 | ~~~ | |
24 | ||
25 | From db0b09089531629c58d61f3c7d8b5daab7fd22a4 Mon Sep 17 00:00:00 2001 | |
26 | From: Graham Barr <gbarr@pobox.com> | |
27 | Date: Fri, 23 Sep 2011 10:06:58 -0500 | |
28 | Subject: [PATCH] fix copy & paste typo | |
29 | ||
30 | --- | |
31 | lib/Net/LDAP.pm | 2 +- | |
32 | 1 files changed, 1 insertions(+), 1 deletions(-) | |
33 | ||
34 | --- a/lib/Net/LDAP.pm | |
35 | +++ b/lib/Net/LDAP.pm | |
36 | @@ -192,11 +192,18 @@ | |
37 | my $arg = shift; | |
38 | ||
39 | my $verify = 0; | |
40 | + my %verifycn_ctx = (); | |
41 | my ($clientcert,$clientkey,$passwdcb); | |
42 | ||
43 | if (exists $arg->{'verify'}) { | |
44 | my $v = lc $arg->{'verify'}; | |
45 | $verify = 0 + (exists $ssl_verify{$v} ? $ssl_verify{$v} : $verify); | |
46 | + | |
47 | + if ($verify) { | |
48 | + $verifycn_ctx{SSL_verifycn_scheme} = "ldap"; | |
49 | + $verifycn_ctx{SSL_verifycn_name} = $arg->{'sslserver'} | |
50 | + if (defined $arg->{'sslserver'}); | |
51 | + } | |
52 | } | |
53 | ||
54 | if (exists $arg->{'clientcert'}) { | |
55 | @@ -230,7 +237,7 @@ | |
56 | SSL_verify_mode => $verify, | |
57 | SSL_version => defined $arg->{'sslversion'} ? $arg->{'sslversion'} : | |
58 | 'sslv2/3', | |
59 | - SSL_verifycn_scheme => "ldap", | |
60 | + %verifycn_ctx, | |
61 | ); | |
62 | } | |
63 | ||
64 | @@ -1031,6 +1038,8 @@ | |
65 | delete $ldap->{net_ldap_root_dse}; | |
66 | ||
67 | $arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion}; | |
68 | + $arg->{sslserver} = $ldap->{'net_ldap_host'} unless defined $arg->{sslserver}; | |
69 | + | |
70 | IO::Socket::SSL::context_init( { _SSL_context_init_args($arg) } ); | |
71 | my $sock_class = ref($sock); | |
72 |