+++ This bug was initially created as a clone of Bug #810462 +++ Description of problem: Connecting to a server with self-signed certificate without basic constraint extension fails. This kind of error seems to stop connecting even if TLS_REQCERT=never is set. Version-Release number of selected component (if applicable): openldap-2.4.26-7.fc16 How reproducible: Steps to Reproduce: 1. generate self-signed server certificate with: certutil -d . -S -x -n ldap -s "CN=server" -t TC,, 2. setup permissions, setup slapd, setup client 3. ldapsearch -x -ZZ -H ldap://server Actual results: TLS: certificate [CN=server] is not valid - CA cert is not valid TLS: certificate [CN=server] is not valid - error -8172:Peer's certificate issuer has been marked as not trusted by the user.. TLS: error: connect - force handshake failure: errno 21 - moznss error -8157 TLS: can't connect: TLS error -8157:Certificate extension not found.. ldap_err2string ldap_start_tls: Connect error (-11) additional info: TLS error -8157:Certificate extension not found. Expected results: successful connection Additional info: --- Additional comment from jvcelak on 2012-04-26 10:11:59 CEST --- This is not right. My configuration was wrong, no certificates were available. But the error message is wrong, it is completely unrelated to the problem which happened. The original error can was overwritten with the error from the report in tlsm_verify_cert(). While walking through the verification log, basic extension from the certificate is requested in case there is a SEC_ERROR_CA_CERT_INVALID error. If the extension is not a part of the certificate, the original error is overwritten. PR_GetError() and PR_SetError() should fix that. --- Additional comment from jvcelak on 2012-05-28 14:18:50 CEST --- Created attachment 587230 [details] proposed patch Broken version: $ ldapsearch -x -ZZ ldap_start_tls: Connect error (-11) additional info: TLS error -8157:Certificate extension not found. Fixed version: $ ../_build/clients/tools/ldapsearch -x -ZZ ldap_start_tls: Connect error (-11) additional info: TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user. --- Additional comment from jvcelak on 2012-05-28 14:21:43 CEST --- The patch fixes the issue with LDAPTLS_REQCERT=never as well. --- Additional comment from jvcelak on 2012-06-05 11:54:31 CEST --- Submitted upstream: http://www.openldap.org/its/index.cgi?findid=7287 --- Additional comment from jvcelak on 2012-06-05 13:36:48 CEST --- Committed upstream: http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=dc3842f
Resolved in: openldap-2.4.23-29.el6
*** Bug 863456 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0364.html