diff --git a/openldap-openssl-manpage-defaultCA.patch b/openldap-openssl-manpage-defaultCA.patch new file mode 100644 index 0000000..7ec2caa --- /dev/null +++ b/openldap-openssl-manpage-defaultCA.patch @@ -0,0 +1,48 @@ +Reference default system-wide CA certificates in manpages + +OpenSSL, unless explicitly configured, uses system-wide default set of CA +certificates. + +Author: Matus Honek + +diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 +--- a/doc/man/man5/ldap.conf.5 ++++ b/doc/man/man5/ldap.conf.5 +@@ -307,6 +307,9 @@ are more options you can specify. These options are used when an + .B ldaps:// URI + is selected (by default or otherwise) or when the application + negotiates TLS by issuing the LDAP StartTLS operation. ++.LP ++When using OpenSSL, if neither \fBTLS_CACERT\fP nor \fBTLS_CACERTDIR\fP ++is set, the system-wide default set of CA certificates is used. + .TP + .B TLS_CACERT + Specifies the file that contains certificates for all of the Certificate +diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5 +--- a/doc/man/man5/slapd-config.5 ++++ b/doc/man/man5/slapd-config.5 +@@ -801,6 +801,10 @@ If + .B slapd + is built with support for Transport Layer Security, there are more options + you can specify. ++.LP ++When using OpenSSL, if neither \fBolcTLSCACertificateFile\fP nor ++\fBolcTLSCACertificatePath\fP is set, the system-wide default set of CA ++certificates is used. + .TP + .B olcTLSCipherSuite: + Permits configuring what ciphers will be accepted and the preference order. +diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 +--- a/doc/man/man5/slapd.conf.5 ++++ b/doc/man/man5/slapd.conf.5 +@@ -1032,6 +1032,10 @@ If + .B slapd + is built with support for Transport Layer Security, there are more options + you can specify. ++.LP ++When using OpenSSL, if neither \fBTLSCACertificateFile\fP nor ++\fBTLSCACertificatePath\fP is set, the system-wide default set of CA ++certificates is used. + .TP + .B TLSCipherSuite + Permits configuring what ciphers will be accepted and the preference order. diff --git a/openldap.spec b/openldap.spec index 349cb71..62f0c07 100644 --- a/openldap.spec +++ b/openldap.spec @@ -36,6 +36,7 @@ Patch19: openldap-switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.patch Patch20: openldap-ldapi-sasl.patch Patch22: openldap-openssl-ITS7595-Add-EC-support-1.patch Patch23: openldap-openssl-ITS7595-Add-EC-support-2.patch +Patch24: openldap-openssl-manpage-defaultCA.patch # check-password module specific patches Patch90: check-password-makefile.patch @@ -114,6 +115,7 @@ AUTOMAKE=%{_bindir}/true autoreconf -fi %patch20 -p1 %patch22 -p1 %patch23 -p1 +%patch24 -p1 # build smbk5pwd with other overlays ln -s ../../../contrib/slapd-modules/smbk5pwd/smbk5pwd.c servers/slapd/overlays @@ -483,6 +485,9 @@ exit 0 %{_mandir}/man3/* %changelog +* Mon Dec 17 2018 Matus Honek - 2.4.46-10 +- Reference default system-wide CA certificates in manpages (#1611591) + * Tue Oct 16 2018 Matus Honek - 2.4.46-10 - Revert "Fix: Cannot use SSL3 anymore"