Bug 818844
Summary: | MozNSS CA cert dir does not work together with PEM CA cert file | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Martin Kosek <mkosek> | |
Component: | openldap | Assignee: | Jan Vcelak <jvcelak> | |
Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | |
Severity: | urgent | Docs Contact: | ||
Priority: | urgent | |||
Version: | 6.3 | CC: | dspurek, jgalipea, jsynacek, jvcelak, mkosek, omoris, rmeggins, sgallagh, syeghiay, tsmetana | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | openldap-2.4.23-26.el6 | Doc Type: | Bug Fix | |
Doc Text: |
- TLS_CACERTDIR set to Mozilla NSS certificate database, TLS_CACERT set to PEM bundle with CA certificates, connecting to remote LDAP server with TLS enabled
- certificates from PEM bundle were not loaded, validation of remote certificate failed if the signing CA certificate was present only in PEM CA bundle specified by TLS_CACERT
- patch applied to allow loading of CA certificates from PEM bundle file, if Mozilla NSS certificate database is set up as well
- in the described situation, CA certificates from both Mozilla NSS certificate database and PEM bundle are available, so the validation would proceed as expected
|
Story Points: | --- | |
Clone Of: | 818723 | |||
: | 819536 (view as bug list) | Environment: | ||
Last Closed: | 2012-06-20 07:32:22 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 818723 | |||
Bug Blocks: | 819536 |
Description
Martin Kosek
2012-05-04 07:36:31 UTC
When TLS_CACERTDIR is set and valid, TLS_CACERT setting is skipped. Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: - TLS_CACERTDIR set to Mozilla NSS certificate database, TLS_CACERT set to PEM bundle with CA certificates, connecting to remote LDAP server with TLS enabled - certificates from PEM bundle were not loaded, validation of remote certificate failed if the signing CA certificate was present only in PEM CA bundle specified by TLS_CACERT - patch applied to allow loading of CA certificates from PEM bundle file, if Mozilla NSS certificate database is set up as well - in the described situation, CA certificates from both Mozilla NSS certificate database and PEM bundle are available, so the validation would proceed as expected Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0899.html |