Hide Forgot
Found out that this appers even with perfectly correct configuration, when PK11_FindCertFromNickname fails. RHEL is affected, must be fixed. +++ This bug was initially created as a clone of Bug #772890 +++ Description of problem: slapd segfaults when PEM certificate is used and olcTLSCertificateKeyFile is not set Version-Release number of selected component (if applicable): openldap-2.4.26-5.fc16.x86_64, upstream git master Steps to Reproduce: # ldapmodify -H ldapi:// -Y external dn: cn=config changetype: modify replace: olcTLSCertificateKeyFile # systemctl slapd stop # slapd -u ldap -d1 $ ldapsearch -x -ZZ -H ldap://server Actual results: TLS: loaded CA certificate file /etc/pki/tls/certs/ca-bundle.crt. TLS: error: could not find the private key for certificate PEM Token #0:slapd.pem - 0 - error -12285:Unable to find the certificate or key necessary for authentication. TLS: error: unable to find and verify server's cert and key for certificate PEM Token #0:slapd.pem - 0 Segmentation fault Expected results: server will not crash Additional info: --- Additional comment from jvcelak on 2012-01-10 10:15:37 CET --- Created attachment 551797 [details] proposed patch (against git master) Crashes due to randomly initialized *serverKey pointer, which is untouched in tlsm_find_and_verify_cert_key and then tried to be freed with SECKEY_DestroyPrivateKey --- Additional comment from jvcelak on 2012-01-20 12:29:50 CET --- Not critical, changing version to "rawhide". --- Additional comment from jvcelak on 2012-01-25 16:59:19 CET --- Thank you for the review, Rich. Patch submitted upstream: http://www.openldap.org/its/index.cgi?findid=7135 --- Additional comment from jvcelak on 2012-01-31 18:48:34 CET --- Fixed in: openldap-2.4.26-6.fc16 openldap-2.4.28-3.fc17 --- Additional comment from updates on 2012-01-31 18:51:07 CET --- openldap-2.4.26-6.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/openldap-2.4.26-6.fc16 --- Additional comment from updates on 2012-02-01 20:26:52 CET --- Package openldap-2.4.26-6.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openldap-2.4.26-6.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-1135/openldap-2.4.26-6.fc16 then log in and leave karma (feedback). --- Additional comment from updates on 2012-02-17 01:57:55 CET --- openldap-2.4.26-6.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: - openldap server configured to use TLS, some problem when loading server key appears - server crashes with segmentation fault due to accessing uninitialized memory - applied patch to initialize variables holding TLS certificate and key correctly - server no longer crashes in described situation, but log the information about to failure and continues in execution
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0899.html