Commit 9282e6ed authored by Ryan Tandy's avatar Ryan Tandy
Browse files

ITS#8155 Support cacertdir with GnuTLS

parent fc8a7b25
......@@ -1206,10 +1206,10 @@ if test $ol_link_tls = no ; then
if test $ac_cv_header_gnutls_gnutls_h = yes ; then
AC_PREPROC_IFELSE([AC_LANG_SOURCE(
[[#include <gnutls/gnutls.h>]
[#if GNUTLS_VERSION_NUMBER < 0x030202]
[#error "GnuTLS 3.2.2 or newer required"]
[#if GNUTLS_VERSION_NUMBER < 0x030306]
[#error "GnuTLS is too old"]
[#endif]])],
, [AC_MSG_FAILURE([GnuTLS is too old])])
, [AC_MSG_FAILURE([GnuTLS 3.3.6 or newer required])])
AC_CHECK_LIB(gnutls, gnutls_init,
[have_gnutls=yes], [have_gnutls=no])
......
......@@ -16,7 +16,7 @@ H2: Dependency Versions
Feature|Software|Version
{{TERM[expand]TLS}}:
|{{PRD:OpenSSL}}|0.9.7+
|{{PRD:GnuTLS}}|2.12.0
|{{PRD:GnuTLS}}|3.3.6+
{{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.21+
{{TERM[expand]Kerberos}}:
|{{PRD:Heimdal}}|Version
......
......@@ -322,7 +322,6 @@ certificates in separate individual files. The
.B TLS_CACERT
is always used before
.B TLS_CACERTDIR.
This parameter is ignored with GnuTLS.
.TP
.B TLS_CERT <filename>
Specifies the file that contains the client certificate.
......
......@@ -877,8 +877,7 @@ will recognize.
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
or the olcTLSCACertificateFile is defined. If both are specified, both
locations will be used. This directive is not supported
when using GnuTLS.
locations will be used.
.TP
.B olcTLSCertificateFile: <filename>
Specifies the file that contains the
......
......@@ -1111,8 +1111,7 @@ appended to the file; the order is not significant.
.B TLSCACertificatePath <path>
Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this
or the TLSCACertificateFile is used. This directive is not supported
when using GnuTLS.
or the TLSCACertificateFile is used.
.TP
.B TLSCertificateFile <filename>
Specifies the file that contains the
......
......@@ -195,8 +195,20 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
}
if (lo->ldo_tls_cacertdir != NULL) {
Debug0( LDAP_DEBUG_ANY,
"TLS: warning: cacertdir not implemented for gnutls\n" );
rc = gnutls_certificate_set_x509_trust_dir(
ctx->cred,
lt->lt_cacertdir,
GNUTLS_X509_FMT_PEM );
if ( rc > 0 ) {
Debug2( LDAP_DEBUG_TRACE,
"TLS: loaded %d CA certificates from directory `%s'.\n",
rc, lt->lt_cacertdir );
} else {
Debug1( LDAP_DEBUG_ANY,
"TLS: warning: no certificate found in CA certificate directory `%s'.\n",
lt->lt_cacertdir );
/* only warn, no return */
}
}
if (lo->ldo_tls_cacertfile != NULL) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment