Commit 9282e6ed authored by Ryan Tandy's avatar Ryan Tandy
Browse files

ITS#8155 Support cacertdir with GnuTLS

parent fc8a7b25
...@@ -1206,10 +1206,10 @@ if test $ol_link_tls = no ; then ...@@ -1206,10 +1206,10 @@ if test $ol_link_tls = no ; then
if test $ac_cv_header_gnutls_gnutls_h = yes ; then if test $ac_cv_header_gnutls_gnutls_h = yes ; then
AC_PREPROC_IFELSE([AC_LANG_SOURCE( AC_PREPROC_IFELSE([AC_LANG_SOURCE(
[[#include <gnutls/gnutls.h>] [[#include <gnutls/gnutls.h>]
[#if GNUTLS_VERSION_NUMBER < 0x030202] [#if GNUTLS_VERSION_NUMBER < 0x030306]
[#error "GnuTLS 3.2.2 or newer required"] [#error "GnuTLS is too old"]
[#endif]])], [#endif]])],
, [AC_MSG_FAILURE([GnuTLS is too old])]) , [AC_MSG_FAILURE([GnuTLS 3.3.6 or newer required])])
AC_CHECK_LIB(gnutls, gnutls_init, AC_CHECK_LIB(gnutls, gnutls_init,
[have_gnutls=yes], [have_gnutls=no]) [have_gnutls=yes], [have_gnutls=no])
......
...@@ -16,7 +16,7 @@ H2: Dependency Versions ...@@ -16,7 +16,7 @@ H2: Dependency Versions
Feature|Software|Version Feature|Software|Version
{{TERM[expand]TLS}}: {{TERM[expand]TLS}}:
|{{PRD:OpenSSL}}|0.9.7+ |{{PRD:OpenSSL}}|0.9.7+
|{{PRD:GnuTLS}}|2.12.0 |{{PRD:GnuTLS}}|3.3.6+
{{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.21+ {{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.21+
{{TERM[expand]Kerberos}}: {{TERM[expand]Kerberos}}:
|{{PRD:Heimdal}}|Version |{{PRD:Heimdal}}|Version
......
...@@ -322,7 +322,6 @@ certificates in separate individual files. The ...@@ -322,7 +322,6 @@ certificates in separate individual files. The
.B TLS_CACERT .B TLS_CACERT
is always used before is always used before
.B TLS_CACERTDIR. .B TLS_CACERTDIR.
This parameter is ignored with GnuTLS.
.TP .TP
.B TLS_CERT <filename> .B TLS_CERT <filename>
Specifies the file that contains the client certificate. Specifies the file that contains the client certificate.
......
...@@ -877,8 +877,7 @@ will recognize. ...@@ -877,8 +877,7 @@ will recognize.
Specifies the path of a directory that contains Certificate Authority Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this certificates in separate individual files. Usually only one of this
or the olcTLSCACertificateFile is defined. If both are specified, both or the olcTLSCACertificateFile is defined. If both are specified, both
locations will be used. This directive is not supported locations will be used.
when using GnuTLS.
.TP .TP
.B olcTLSCertificateFile: <filename> .B olcTLSCertificateFile: <filename>
Specifies the file that contains the Specifies the file that contains the
......
...@@ -1111,8 +1111,7 @@ appended to the file; the order is not significant. ...@@ -1111,8 +1111,7 @@ appended to the file; the order is not significant.
.B TLSCACertificatePath <path> .B TLSCACertificatePath <path>
Specifies the path of a directory that contains Certificate Authority Specifies the path of a directory that contains Certificate Authority
certificates in separate individual files. Usually only one of this certificates in separate individual files. Usually only one of this
or the TLSCACertificateFile is used. This directive is not supported or the TLSCACertificateFile is used.
when using GnuTLS.
.TP .TP
.B TLSCertificateFile <filename> .B TLSCertificateFile <filename>
Specifies the file that contains the Specifies the file that contains the
......
...@@ -195,8 +195,20 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) ...@@ -195,8 +195,20 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
} }
if (lo->ldo_tls_cacertdir != NULL) { if (lo->ldo_tls_cacertdir != NULL) {
Debug0( LDAP_DEBUG_ANY, rc = gnutls_certificate_set_x509_trust_dir(
"TLS: warning: cacertdir not implemented for gnutls\n" ); ctx->cred,
lt->lt_cacertdir,
GNUTLS_X509_FMT_PEM );
if ( rc > 0 ) {
Debug2( LDAP_DEBUG_TRACE,
"TLS: loaded %d CA certificates from directory `%s'.\n",
rc, lt->lt_cacertdir );
} else {
Debug1( LDAP_DEBUG_ANY,
"TLS: warning: no certificate found in CA certificate directory `%s'.\n",
lt->lt_cacertdir );
/* only warn, no return */
}
} }
if (lo->ldo_tls_cacertfile != NULL) { if (lo->ldo_tls_cacertfile != NULL) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment