Bug 811468

Summary: not all certificates in OpenSSL compatible CA certificate directory format are loaded
Product: Red Hat Enterprise Linux 6 Reporter: David Spurek <dspurek>
Component: openldapAssignee: Jan Vcelak <jvcelak>
Status: CLOSED ERRATA QA Contact: David Spurek <dspurek>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3CC: bugzilla, ebenes, jhrozek, jplans, jsynacek, jvcelak, nalin, omoris, ovasik, tsmetana
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openldap-2.4.23-29.el6 Doc Type: Bug Fix
Doc Text:
Cause: OpenSSL hashed CA certificate directory is configured to be used as a source for trusted CA certificates. libldap assumes that filenames of all hashed certificates should end with '.0', which is not correct. Any numeric suffix is allowed. Consequence: Only certificates with '.0' suffix are loaded. Fix: Patch applied which updates checking of filenames of files in OpenSSL CA certificate directory. Result: All certificates with a filename, which is allowed in hashed OpenSSL CA certificate directory are loaded.
 Story Points: ---
Clone Of: 609722
: 852786 (view as bug list) Environment:
Last Closed: 2013-02-21 09:45:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 609722    
Bug Blocks: 593242, 649048, 699652    
Attachments:
Description Flags
proposed patch none

Comment 6 Jan Vcelak 2012-08-29 14:46:38 UTC 
Created attachment 607923 [details]
proposed patch

Proposed patch. Uses regular expressions instead of checking for '.0' file extension wrongly. Following format is allowed: ^[0-9a-f]{8}\\.[0-9]+$

Upstream submission:
http://www.openldap.org/its/index.cgi?findid=7374
Comment 11 Jan Vcelak 2012-09-25 16:10:26 UTC 
Resolved in: openldap-2.4.23-29.el6
Comment 15 errata-xmlrpc 2013-02-21 09:45:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0364.html