ITS#8155 Support cacertdir with GnuTLS

diff --git a/configure.in b/configure.in
index f5bb6f2fd1296e593be74bedf21cc3eed9adc2e3..ac367b91e9c6fc6529d32b84319b17677706e153 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1206,10 +1206,10 @@ if test $ol_link_tls = no ; then
                if test $ac_cv_header_gnutls_gnutls_h = yes ; then
                        AC_PREPROC_IFELSE([AC_LANG_SOURCE(
                                [[#include <gnutls/gnutls.h>]
-[#if GNUTLS_VERSION_NUMBER < 0x030202]
-[#error "GnuTLS 3.2.2 or newer required"]
+[#if GNUTLS_VERSION_NUMBER < 0x030306]
+[#error "GnuTLS is too old"]
 [#endif]])],
-                                       , [AC_MSG_FAILURE([GnuTLS is too old])])
+                                       , [AC_MSG_FAILURE([GnuTLS 3.3.6 or newer required])])
 
                        AC_CHECK_LIB(gnutls, gnutls_init,
                                [have_gnutls=yes], [have_gnutls=no])

diff --git a/doc/guide/admin/appendix-recommended-versions.sdf b/doc/guide/admin/appendix-recommended-versions.sdf
index 5a5c917cb8cf86337fa82b574b04822904c93ec4..830293a2e5826a89838bee9766161ebb87516028 100644 (file)
--- a/doc/guide/admin/appendix-recommended-versions.sdf
+++ b/doc/guide/admin/appendix-recommended-versions.sdf
@@ -16,7 +16,7 @@ H2: Dependency Versions
 Feature|Software|Version
 {{TERM[expand]TLS}}:
 |{{PRD:OpenSSL}}|0.9.7+
-|{{PRD:GnuTLS}}|2.12.0
+|{{PRD:GnuTLS}}|3.3.6+
 {{TERM[expand]SASL}}|{{PRD:Cyrus SASL}}|2.1.21+
 {{TERM[expand]Kerberos}}:
 |{{PRD:Heimdal}}|Version

diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5
index 4974f83400479fc46634863771fa3a14d666b3f3..1b8649496beae605f2fe4f67a03495d4496e2c69 100644 (file)
--- a/doc/man/man5/ldap.conf.5
+++ b/doc/man/man5/ldap.conf.5
@@ -322,7 +322,6 @@ certificates in separate individual files. The
 .B TLS_CACERT
 is always used before
 .B TLS_CACERTDIR.
-This parameter is ignored with GnuTLS.
 .TP
 .B TLS_CERT <filename>
 Specifies the file that contains the client certificate.

diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index dc0ab769f3217c818f03b5368894f20902932318..93b8efd98261cc2b398382baf14613d24556623e 100644 (file)
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -877,8 +877,7 @@ will recognize.
 Specifies the path of a directory that contains Certificate Authority
 certificates in separate individual files. Usually only one of this
 or the olcTLSCACertificateFile is defined. If both are specified, both
-locations will be used. This directive is not supported
-when using GnuTLS.
+locations will be used.
 .TP
 .B olcTLSCertificateFile: <filename>
 Specifies the file that contains the

diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index 73a151a70180d0fd8f43f0614a5a57ada126f3c5..0e4d31f7a132c187768b5c8c9b4d748e89845a3d 100644 (file)
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1111,8 +1111,7 @@ appended to the file; the order is not significant.
 .B TLSCACertificatePath <path>
 Specifies the path of a directory that contains Certificate Authority
 certificates in separate individual files. Usually only one of this
-or the TLSCACertificateFile is used. This directive is not supported
-when using GnuTLS.
+or the TLSCACertificateFile is used.
 .TP
 .B TLSCertificateFile <filename>
 Specifies the file that contains the

diff --git a/libraries/libldap/tls_g.c b/libraries/libldap/tls_g.c
index e2a2855a9da2ea07abf726c5aad7b1bf5264bff9..3d80cf4d97076b3c9eee060c527c59520e5e84ec 100644 (file)
--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
@@ -195,8 +195,20 @@ tlsg_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
        }
 
        if (lo->ldo_tls_cacertdir != NULL) {
-               Debug0( LDAP_DEBUG_ANY,
-                      "TLS: warning: cacertdir not implemented for gnutls\n" );
+               rc = gnutls_certificate_set_x509_trust_dir(
+                       ctx->cred,
+                       lt->lt_cacertdir,
+                       GNUTLS_X509_FMT_PEM );
+               if ( rc > 0 ) {
+                       Debug2( LDAP_DEBUG_TRACE,
+                               "TLS: loaded %d CA certificates from directory `%s'.\n",
+                               rc, lt->lt_cacertdir );
+               } else {
+                       Debug1( LDAP_DEBUG_ANY,
+                               "TLS: warning: no certificate found in CA certificate directory `%s'.\n",
+                               lt->lt_cacertdir );
+                       /* only warn, no return */
+               }
        }
 
        if (lo->ldo_tls_cacertfile != NULL) {