From 447877f2ade6967f9f95de9e171fc8837d2b569d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 21 2020 18:10:47 +0000 Subject: import openldap-2.4.46-10.el8 --- diff --git a/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch b/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch new file mode 100644 index 0000000..9fc9b01 --- /dev/null +++ b/SOURCES/openldap-tlso-dont-check-cn-when-bad-san.patch @@ -0,0 +1,29 @@ +Do not check CN when checking SAN failed + +This is to make it compliant with RFC 6125: +https://tools.ietf.org/html/rfc6125#section-6.4.4 + +Author: Matus Honek + +diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c +index 92c708be0..46b48a3fb 100644 +--- a/libraries/libldap/tls_o.c ++++ b/libraries/libldap/tls_o.c +@@ -675,11 +675,16 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in ) + GENERAL_NAMES_free(alt); + if (i < n) { /* Found a match */ + ret = LDAP_SUCCESS; ++ } else { /* None matched */ ++ Debug( LDAP_DEBUG_ANY, "TLS: hostname (%s) does not match any " ++ "SAN in certificate.\n", ++ name, NULL, NULL ); ++ ret = LDAP_CONNECT_ERROR; + } + } + } + +- if (ret != LDAP_SUCCESS) { ++ if (ret == LDAP_LOCAL_ERROR) { + X509_NAME *xn; + X509_NAME_ENTRY *ne; + ASN1_OBJECT *obj; diff --git a/SPECS/openldap.spec b/SPECS/openldap.spec index b260577..be01b99 100644 --- a/SPECS/openldap.spec +++ b/SPECS/openldap.spec @@ -5,7 +5,7 @@ Name: openldap Version: 2.4.46 -Release: 9%{?dist} +Release: 10%{?dist} Summary: LDAP support libraries License: OpenLDAP URL: http://www.openldap.org/ @@ -37,6 +37,7 @@ Patch20: openldap-ldapi-sasl.patch Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch Patch24: openldap-openssl-manpage-defaultCA.patch +Patch25: openldap-tlso-dont-check-cn-when-bad-san.patch # check-password module specific patches Patch90: check-password-makefile.patch @@ -116,6 +117,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch22 -p1 %patch23 -p1 %patch24 -p1 +%patch25 -p1 # build smbk5pwd with other overlays ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays @@ -485,6 +487,9 @@ exit 0 %{_mandir}/man3/* %changelog +* Sun Aug 18 2019 Matus Honek - 2.4.46-10 +- Do not fallback to checking CN when no SAN matched (#1740070) + * Mon Dec 17 2018 Matus Honek - 2.4.46-9 - Reference default system-wide CA certificates in manpages (#1611624)