From 9282e6edea48ca423d8c5d2a987cb4e40f975e67 Mon Sep 17 00:00:00 2001 From: Ryan Tandy Date: Thu, 14 May 2020 07:56:28 -0700 Subject: [PATCH] ITS#8155 Support cacertdir with GnuTLS --- configure.in | 6 +++--- .../admin/appendix-recommended-versions.sdf | 2 +- doc/man/man5/ldap.conf.5 | 1 - doc/man/man5/slapd-config.5 | 3 +-- doc/man/man5/slapd.conf.5 | 3 +-- libraries/libldap/tls_g.c | 16 ++++++++++++++-- 6 files changed, 20 insertions(+), 11 deletions(-) diff --git a/configure.in b/configure.in index f5bb6f2fd1..ac367b91e9 100644 --- a/configure.in +++ b/configure.in @@ -1206,10 +1206,10 @@ if test $ol_link_tls = no ; then if test $ac_cv_header_gnutls_gnutls_h = yes ; then AC_PREPROC_IFELSE([AC_LANG_SOURCE( [[#include ] -[#if GNUTLS_VERSION_NUMBER < 0x030202] -[#error "GnuTLS 3.2.2 or newer required"] +[#if GNUTLS_VERSION_NUMBER < 0x030306] +[#error "GnuTLS is too old"] [#endif]])], - , [AC_MSG_FAILURE([GnuTLS is too old])]) + , [AC_MSG_FAILURE([GnuTLS 3.3.6 or newer required])]) AC_CHECK_LIB(gnutls, gnutls_init, [have_gnutls=yes], [have_gnutls=no]) diff --git a/doc/guide/admin/appendix-recommended-versions.sdf b/doc/guide/admin/appendix-recommended-versions.sdf index 5a5c917cb8..830293a2e5 100644 --- a/doc/guide/admin/appendix-recommended-versions.sdf +++ b/doc/guide/admin/appendix-recommended-versions.sdf @@ -16,7 +16,7 @@ H2: Dependency Versions Feature|Software|Version {{TERM[expand]TLS}}: |{{PRD:OpenSSL}}|0.9.7+ -|{{PRD:GnuTLS}}|2.12.0 +|{{PRD:GnuTLS}}|3.3.6+ {{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.21+ {{TERM[expand]Kerberos}}: |{{PRD:Heimdal}}|Version diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 index 4974f83400..1b8649496b 100644 --- a/doc/man/man5/ldap.conf.5 +++ b/doc/man/man5/ldap.conf.5 @@ -322,7 +322,6 @@ certificates in separate individual files. The .B TLS_CACERT is always used before .B TLS_CACERTDIR. -This parameter is ignored with GnuTLS. .TP .B TLS_CERT Specifies the file that contains the client certificate. diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 index dc0ab769f3..93b8efd982 100644 --- a/doc/man/man5/slapd-config.5 +++ b/doc/man/man5/slapd-config.5 @@ -877,8 +877,7 @@ will recognize. Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. Usually only one of this or the olcTLSCACertificateFile is defined. If both are specified, both -locations will be used. This directive is not supported -when using GnuTLS. +locations will be used. .TP .B olcTLSCertificateFile: Specifies the file that contains the diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index 73a151a701..0e4d31f7a1 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -1111,8 +1111,7 @@ appended to the file; the order is not significant. .B TLSCACertificatePath Specifies the path of a directory that contains Certificate Authority certificates in separate individual files. Usually only one of this -or the TLSCACertificateFile is used. This directive is not supported -when using GnuTLS. +or the TLSCACertificateFile is used. .TP .B TLSCertificateFile Specifies the file that contains the diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c index e2a2855a9d..3d80cf4d97 100644 --- a/libraries/libldap/tls_g.c +++ b/libraries/libldap/tls_g.c @@ -195,8 +195,20 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server ) } if (lo->ldo_tls_cacertdir != NULL) { - Debug0( LDAP_DEBUG_ANY, - "TLS: warning: cacertdir not implemented for gnutls\n" ); + rc = gnutls_certificate_set_x509_trust_dir( + ctx->cred, + lt->lt_cacertdir, + GNUTLS_X509_FMT_PEM ); + if ( rc > 0 ) { + Debug2( LDAP_DEBUG_TRACE, + "TLS: loaded %d CA certificates from directory `%s'.\n", + rc, lt->lt_cacertdir ); + } else { + Debug1( LDAP_DEBUG_ANY, + "TLS: warning: no certificate found in CA certificate directory `%s'.\n", + lt->lt_cacertdir ); + /* only warn, no return */ + } } if (lo->ldo_tls_cacertfile != NULL) {