Bug 811468 - not all certificates in OpenSSL compatible CA certificate directory format are loaded
not all certificates in OpenSSL compatible CA certificate directory format ar...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap (Show other bugs)
6.3
All Linux
medium Severity medium
: rc
: ---
Assigned To: Jan Vcelak
David Spurek
: Reopened
Depends On: 609722
Blocks: 593242 649048 699652
  Show dependency treegraph
 
Reported: 2012-04-11 03:52 EDT by David Spurek
Modified: 2015-03-02 00:26 EST (History)
10 users (show)

See Also:
Fixed In Version: openldap-2.4.23-29.el6
Doc Type: Bug Fix
Doc Text:
Cause: OpenSSL hashed CA certificate directory is configured to be used as a source for trusted CA certificates. libldap assumes that filenames of all hashed certificates should end with '.0', which is not correct. Any numeric suffix is allowed. Consequence: Only certificates with '.0' suffix are loaded. Fix: Patch applied which updates checking of filenames of files in OpenSSL CA certificate directory. Result: All certificates with a filename, which is allowed in hashed OpenSSL CA certificate directory are loaded.
Story Points: ---
Clone Of: 609722
: 852786 (view as bug list)
Environment:
Last Closed: 2013-02-21 04:45:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (3.40 KB, patch)
2012-08-29 10:46 EDT, Jan Vcelak
no flags Details | Diff

  None (edit)
Comment 6 Jan Vcelak 2012-08-29 10:46:38 EDT
Created attachment 607923 [details]
proposed patch

Proposed patch. Uses regular expressions instead of checking for '.0' file extension wrongly. Following format is allowed: ^[0-9a-f]{8}\\.[0-9]+$

Upstream submission:
http://www.openldap.org/its/index.cgi?findid=7374
Comment 11 Jan Vcelak 2012-09-25 12:10:26 EDT
Resolved in: openldap-2.4.23-29.el6
Comment 15 errata-xmlrpc 2013-02-21 04:45:35 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0364.html

Note You need to log in before you can comment on or make changes to this bug.