Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 811468 - not all certificates in OpenSSL compatible CA certificate directory format are loaded
Summary: not all certificates in OpenSSL compatible CA certificate directory format ar...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap
Version: 6.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Jan Vcelak
QA Contact: David Spurek
URL:
Whiteboard:
Depends On: 609722
Blocks: 593242 649048 699652
TreeView+ depends on / blocked
 
Reported: 2012-04-11 07:52 UTC by David Spurek
Modified: 2015-03-02 05:26 UTC (History)
10 users (show)

Fixed In Version: openldap-2.4.23-29.el6
Doc Type: Bug Fix
Doc Text:
Cause: OpenSSL hashed CA certificate directory is configured to be used as a source for trusted CA certificates. libldap assumes that filenames of all hashed certificates should end with '.0', which is not correct. Any numeric suffix is allowed. Consequence: Only certificates with '.0' suffix are loaded. Fix: Patch applied which updates checking of filenames of files in OpenSSL CA certificate directory. Result: All certificates with a filename, which is allowed in hashed OpenSSL CA certificate directory are loaded.
Clone Of: 609722
: 852786 (view as bug list)
Environment:
Last Closed: 2013-02-21 09:45:35 UTC
Target Upstream Version:


Attachments (Terms of Use)
proposed patch (deleted)
2012-08-29 14:46 UTC, Jan Vcelak
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:0364 normal SHIPPED_LIVE openldap bug fix and enhancement update 2013-02-20 20:52:54 UTC

Comment 6 Jan Vcelak 2012-08-29 14:46:38 UTC
Created attachment 607923 [details]
proposed patch

Proposed patch. Uses regular expressions instead of checking for '.0' file extension wrongly. Following format is allowed: ^[0-9a-f]{8}\\.[0-9]+$

Upstream submission:
http://www.openldap.org/its/index.cgi?findid=7374

Comment 11 Jan Vcelak 2012-09-25 16:10:26 UTC
Resolved in: openldap-2.4.23-29.el6

Comment 15 errata-xmlrpc 2013-02-21 09:45:35 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0364.html


Note You need to log in before you can comment on or make changes to this bug.