7145399 Problem with network/ftp_server s11-sru
authorTomas Klacko <tomas.klacko@oracle.com>
Mon, 25 Jun 2012 04:53:38 -0700
branchs11-sru
changeset 2296 aae214ddeb83
parent 2295 6ab181a7f415
child 2297 b92448da0330
7145399 Problem with network/ftp_server
components/proftpd/patches/mod_tls_self_signed.patch
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/proftpd/patches/mod_tls_self_signed.patch	Mon Jun 25 04:53:38 2012 -0700
@@ -0,0 +1,29 @@
+--- a/contrib/mod_tls.c
++++ b/contrib/mod_tls.c
[email protected]@ -3962,6 +3962,7 @@ static int tls_verify_cb(int ok, X509_STORE_CTX *ctx) {
+       case X509_V_ERR_CERT_HAS_EXPIRED:
+       case X509_V_ERR_CERT_REVOKED:
+       case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
++      case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+       case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY:
+       case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE:
+       case X509_V_ERR_APPLICATION_VERIFICATION:
[email protected]@ -3986,17 +3987,6 @@ static int tls_verify_cb(int ok, X509_STORE_CTX *ctx) {
+         break;
+       }
+ 
+-      case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
+-        /* XXX this is strange. we get this error for certain clients
+-         * (i.e. Jeff Altman's kftp) when all is ok. I think it's because the
+-         * client is actually sending the whole CA cert. This must be figured
+-         * out, but we let it pass for now. If the CA cert isn't available
+-         * locally, we will fail anyway.
+-         */
+-        tls_log("%s", X509_verify_cert_error_string(ctx->error));
+-        ok = 1;
+-        break;
+-
+       default:
+         tls_log("error verifying client certificate: [%d] %s",
+           ctx->error, X509_verify_cert_error_string(ctx->error));
+