Add patch 0001-un-break-certificate-verification.patch,
taken from upstream's "next" branch (commits a3c4f7f from Peter Marschall
and db0b090 from Graham Barr): un-break certificate verification.
Closes: #640883
gregor herrmann
12 years ago
| 0 | From a3c4f7fe85129b036d915c9064752d9b542ad803 Mon Sep 17 00:00:00 2001 | |
| 1 | From: Peter Marschall <peter@adpm.de> | |
| 2 | Date: Wed, 7 Sep 2011 13:21:48 +0200 | |
| 3 | Subject: [PATCH] un-break certificate verification | |
| 4 | ||
| 5 | Commit 041d540 "Specify that we want to use the 'ldap' scheme to verify | |
| 6 | certificates" unconditionally set IO:Socket::SSL's SSL_verify_cn_scheme | |
| 7 | 'ldap'. | |
| 8 | ||
| 9 | In principle this is a good thing: it allows to verify whether the name of | |
| 10 | the host we connect to matches the host name in the certificate presented. | |
| 11 | ||
| 12 | But doing it unconditionally led to some trouble: | |
| 13 | * it broke $ldap->start_tls() completely. | |
| 14 | see SSL_verifycn_name in IO::Socket::SSL(3) for why | |
| 15 | * in the case of sslverify = 'none' it created a warning | |
| 16 | on every connect. | |
| 17 | ||
| 18 | This commit fixes both issues. | |
| 19 | --- | |
| 20 | lib/Net/LDAP.pm | 11 ++++++++++- | |
| 21 | 1 files changed, 10 insertions(+), 1 deletions(-) | |
| 22 | ||
| 23 | ~~~ | |
| 24 | ||
| 25 | From db0b09089531629c58d61f3c7d8b5daab7fd22a4 Mon Sep 17 00:00:00 2001 | |
| 26 | From: Graham Barr <gbarr@pobox.com> | |
| 27 | Date: Fri, 23 Sep 2011 10:06:58 -0500 | |
| 28 | Subject: [PATCH] fix copy & paste typo | |
| 29 | ||
| 30 | --- | |
| 31 | lib/Net/LDAP.pm | 2 +- | |
| 32 | 1 files changed, 1 insertions(+), 1 deletions(-) | |
| 33 | ||
| 34 | --- a/lib/Net/LDAP.pm | |
| 35 | +++ b/lib/Net/LDAP.pm | |
| 36 | @@ -192,11 +192,18 @@ | |
| 37 | my $arg = shift; | |
| 38 | ||
| 39 | my $verify = 0; | |
| 40 | + my %verifycn_ctx = (); | |
| 41 | my ($clientcert,$clientkey,$passwdcb); | |
| 42 | ||
| 43 | if (exists $arg->{'verify'}) { | |
| 44 | my $v = lc $arg->{'verify'}; | |
| 45 | $verify = 0 + (exists $ssl_verify{$v} ? $ssl_verify{$v} : $verify); | |
| 46 | + | |
| 47 | + if ($verify) { | |
| 48 | + $verifycn_ctx{SSL_verifycn_scheme} = "ldap"; | |
| 49 | + $verifycn_ctx{SSL_verifycn_name} = $arg->{'sslserver'} | |
| 50 | + if (defined $arg->{'sslserver'}); | |
| 51 | + } | |
| 52 | } | |
| 53 | ||
| 54 | if (exists $arg->{'clientcert'}) { | |
| 55 | @@ -230,7 +237,7 @@ | |
| 56 | SSL_verify_mode => $verify, | |
| 57 | SSL_version => defined $arg->{'sslversion'} ? $arg->{'sslversion'} : | |
| 58 | 'sslv2/3', | |
| 59 | - SSL_verifycn_scheme => "ldap", | |
| 60 | + %verifycn_ctx, | |
| 61 | ); | |
| 62 | } | |
| 63 | ||
| 64 | @@ -1031,6 +1038,8 @@ | |
| 65 | delete $ldap->{net_ldap_root_dse}; | |
| 66 | ||
| 67 | $arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion}; | |
| 68 | + $arg->{sslserver} = $ldap->{'net_ldap_host'} unless defined $arg->{sslserver}; | |
| 69 | + | |
| 70 | IO::Socket::SSL::context_init( { _SSL_context_init_args($arg) } ); | |
| 71 | my $sock_class = ref($sock); | |
| 72 |