-
OpenLDAP built with OpenSSL allows most any value of cacertdir - directory is a file, directory does not contain any CA certs, directory does not exist - users expect if they specify TLS_REQCERT=never, no matter what the TLS_CACERTDIR setting is, TLS/SSL will just work. TLS_CACERT, on the other hand, is a hard error. Even if TLS_REQCERT=never, if TLS_CACERT is specified and is not a valid CA cert file, TLS/SSL will fail. This patch makes CACERT errors hard errors, and makes CACERTDIR errors "soft" errors. The code checks CACERT first and, even though the function will return an error, checks CACERTDIR anyway so that if the user sets TRACE mode they will get CACERTDIR processing messages.
7e528ae8
